]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
projects / thirdparty / snort3.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a15cdbf)
Merge pull request #967 in SNORT/snort3 from bugz_r_us to master
authorRuss Combs (rucombs) <rucombs@cisco.com>
Mon, 24 Jul 2017 14:58:44 +0000 (10:58 -0400)
committerRuss Combs (rucombs) <rucombs@cisco.com>
Mon, 24 Jul 2017 14:58:44 +0000 (10:58 -0400)
Squashed commit of the following:

commit be1b03e0e98f494e9019893110b0ec87853861c2
Author: Russ Combs <rucombs@cisco.com>
Date:   Sun Jul 23 13:26:16 2017 -0400

    rules: promote metadata:service to a separate option since it is not metadata

commit 945d393f54d57cf1aa489b08e5e04141ef65532d
Author: Russ Combs <rucombs@cisco.com>
Date:   Sat Jul 22 13:42:19 2017 -0400

    loggers: remove units options; all limits expressed in MB

commit e7773535fe30cde5fa146ffb063850a4fe8670d1
Author: Russ Combs <rucombs@cisco.com>
Date:   Sat Jul 22 09:18:42 2017 -0400

    text logs: fix default unlimited file size

commit f2d3ff50bf34fe527b5079212e39914170ab5bd9
Author: Russ Combs <rucombs@cisco.com>
Date:   Sat Jul 22 00:19:04 2017 -0400

    doc: update differences

commit 9eb65c1f15db9d6044e7f5b2b7b8782ef5ce4820
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Jul 21 20:46:39 2017 -0400

    u2: remove obsolete configurations

commit 74e3cbfcf68bcd505a3166272a060dd32bc6513c
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Jul 21 20:45:23 2017 -0400

    check: update hyperscan and regex tests

commit 37bdac9cffb927e473295fc667b50f9967880968
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Jul 21 14:31:00 2017 -0400

    mpse: make regex capability generic

commit fabbd5e454a53e4733699b8eeca40563dc9a5d5a
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Jul 21 13:30:08 2017 -0400

    regex: fix pass through of mpse flags to hyperscan
    mpse: only use literals for fast patterns if search_method is not hyperscan

44 files changed:
doc/differences.txt patch | blob | blame | history
doc/params.txt patch | blob | blame | history
extra/src/search_engines/lowmem/lowmem.cc patch | blob | blame | history
lua/sample.rules patch | blob | blame | history
src/detection/detection_util.cc patch | blob | blame | history
src/detection/fp_create.cc patch | blob | blame | history
src/detection/fp_utils.cc patch | blob | blame | history
src/detection/fp_utils.h patch | blob | blame | history
src/detection/pattern_match_data.h patch | blob | blame | history
src/framework/mpse.h patch | blob | blame | history
src/ips_options/CMakeLists.txt patch | blob | blame | history
src/ips_options/Makefile.am patch | blob | blame | history
src/ips_options/ips_metadata.cc patch | blob | blame | history
src/ips_options/ips_options.cc patch | blob | blame | history
src/ips_options/ips_regex.cc patch | blob | blame | history
src/ips_options/ips_service.cc [new file with mode: 0644] patch | blob
src/ips_options/test/ips_regex_test.cc patch | blob | blame | history
src/log/text_log.cc patch | blob | blame | history
src/loggers/alert_csv.cc patch | blob | blame | history
src/loggers/alert_fast.cc patch | blob | blame | history
src/loggers/alert_full.cc patch | blob | blame | history
src/loggers/log_hext.cc patch | blob | blame | history
src/loggers/log_pcap.cc patch | blob | blame | history
src/loggers/unified2.cc patch | blob | blame | history
src/main/modules.cc patch | blob | blame | history
src/main/snort_config.h patch | blob | blame | history
src/managers/mpse_manager.cc patch | blob | blame | history
src/managers/mpse_manager.h patch | blob | blame | history
src/search_engines/ac_banded.cc patch | blob | blame | history
src/search_engines/ac_bnfa.cc patch | blob | blame | history
src/search_engines/ac_full.cc patch | blob | blame | history
src/search_engines/ac_sparse.cc patch | blob | blame | history
src/search_engines/ac_sparse_bands.cc patch | blob | blame | history
src/search_engines/ac_std.cc patch | blob | blame | history
src/search_engines/hyperscan.cc patch | blob | blame | history
src/search_engines/test/hyperscan_test.cc patch | blob | blame | history
tools/snort2lua/config_states/config_deleted.cc patch | blob | blame | history
tools/snort2lua/config_states/config_no_option.cc patch | blob | blame | history
tools/snort2lua/output_states/out_csv.cc patch | blob | blame | history
tools/snort2lua/output_states/out_fast.cc patch | blob | blame | history
tools/snort2lua/output_states/out_full.cc patch | blob | blame | history
tools/snort2lua/output_states/out_tcpdump.cc patch | blob | blame | history
tools/snort2lua/output_states/out_unified2.cc patch | blob | blame | history
tools/snort2lua/rule_states/rule_metadata.cc patch | blob | blame | history

diff --git a/doc/differences.txt b/doc/differences.txt
index b2ea7aeff32780e9642cf1ac52191974d2ce82db..74b11766b141288188221966ccf4c02b8f5faebf 100644 (file)
--- a/doc/differences.txt
+++ b/doc/differences.txt
@@ -15,7 +15,7 @@ Some things Snort++ can do today that Snort can not do:
 * regex fast patterns, not just literals
 * FlatBuffers and JSON perf monitor logs
 * LuaJIT scriptable rule options and loggers
-* pub/sub inspection events (currently used by sip and http to appid)
+* pub/sub inspection events (currently used by sip and http_inspect to appid)
 * JIT buffer stuffers (notably with new http_inspect)
 * C-style comments in rules
 * #begin ... #end comment blocks in rules
@@ -76,8 +76,8 @@ Some things Snort++ can do today that Snort can not do as well:
   (Snort 2 requires newline escapes)
 * properly parse rules
   (Snort 2 can actually completely ignore stuff)
-* optional warnings output, can be fatal
-  (Snort 2 warnings are not optional or fatal)
+* optional, expanded warnings output, can be fatal
+  (Snort 2 warnings limited and are not optional or fatal)
 * define and use arbitrary variables and functions in config with Lua
   (Snort 2 has variables just for rule headers)
 * text-based command line shell
@@ -100,6 +100,12 @@ Some things Snort++ can do today that Snort can not do as well:
   (Snort 2 can only detect scans)
 * sigquit will cause a --dirty-pig style exit
   (Snort 2 handles sigquit the same as sigterm and sigint)
+* detection trace
+  (Snort 2 has more limited buffer dumping)
+* updated unified2 events with MPLS, VLAN, and IP6
+  (Snort 2 requires configuration and extra data)
+* significantly more unit tests, including --catch and make check
+  (Snort 2 has very few unit tests)
 * better modularity 346K/1534 = 226 lines/file, max=2700
   (Snort 2 has 440K/1021 = 431 lines/file, max=13K)
 
diff --git a/doc/params.txt b/doc/params.txt
index aeadcd94af991aa7db93ede059e70ebc8ad53b8a..a33a4e9b0041b6e7af110d704e87ad46c81c8c78 100644 (file)
--- a/doc/params.txt
+++ b/doc/params.txt
@@ -29,7 +29,7 @@ information about the type and use of the parameter:
 * For IPS rules only, names starting with ~ indicate positional
   parameters.  The names of such parameters do not appear in the rule.
 * IPS rules may also have a wild card parameter, which is indicated by a
-  *.  Only used for metadata that Snort ignores.
+  *.  Used for unquoted, comma-separated lists such as service and metadata.
 * The snort module has command line options starting with a -.
 
 Some additional details to note:
diff --git a/extra/src/search_engines/lowmem/lowmem.cc b/extra/src/search_engines/lowmem/lowmem.cc
index 0779ad576725b97e2e759e6fe13f8f706428da12..2b09da4c55322e08448877bfea0e9c4410e48649 100644 (file)
--- a/extra/src/search_engines/lowmem/lowmem.cc
+++ b/extra/src/search_engines/lowmem/lowmem.cc
@@ -120,7 +120,7 @@ static const MpseApi lm_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/lua/sample.rules b/lua/sample.rules
index 8b0f167ff43900bf57d61592537212771c234fdb..9fcf932b67f703347be84606d7402956d3884528 100644 (file)
--- a/lua/sample.rules
+++ b/lua/sample.rules
@@ -1,2480 +1,2480 @@
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!",nocase; content:!"href=|22|http|3A|//www.hallmark.com/",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file-scan/report.html?id=bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f-1258200619; reference:url,www.virustotal.com/latest-report.html?resource=925a4a25cfa562a0330c8733cc697021; classtype:misc-activity; sid:19595; rev:4; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:6; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; )
-alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:4; )
-alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:21475; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21925; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; metadata:impact_flag red,policy balanced-ips drop,service dns; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; )
-alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:3; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24792; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25684; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25685; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25686; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25687; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25688; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25689; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25690; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25691; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25692; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25693; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25694; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25695; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25696; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25697; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25698; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25699; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25700; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25701; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25702; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25703; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25704; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25705; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25706; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25707; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25708; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25709; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25710; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25711; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25712; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25713; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25714; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25715; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25716; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25717; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25718; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25719; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25720; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25721; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25722; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25723; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25724; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25725; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25726; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25727; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25728; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25729; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25730; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25731; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25732; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25733; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25734; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25735; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25736; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25737; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25738; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25739; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25740; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25741; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25742; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25743; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25744; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25745; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25746; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25747; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25748; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25749; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25750; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25751; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25752; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25753; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25754; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25755; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25756; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25757; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25758; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25759; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25760; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25761; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25762; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25763; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; content:"|05|suppp|0C|cantvenlinea|03|biz"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26396; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26399; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26400; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigabsh|03|org"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26401; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26402; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26403; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26404; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26405; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26406; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26407; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26408; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26409; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26554; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26555; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26556; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; content:"|03|ns"; content:"|0F|",within 2; content:"theimageparlour|03|net|00|",within 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:1; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:1; )
-alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild",distance 0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection",nocase; content:"|2E|invalidateSelection",distance 0,nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|",nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; file_data; content:"wOFF|00 01 00 00|"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter",nocase; content:"float: right",distance 0,nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|",distance 0; content:"delete|20|tree",distance 0; content:"delete|20|selection"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"type=",nocase; content:"file",within 7,distance 1,nocase; content:"getElement",nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe",nocase; content:"iframe.contentDocument.designMode",nocase; content:"addEventListener",nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|",distance 0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|",distance 0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:cve,2007-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:15; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|",distance 0,fast_pattern; content:"str2|20 2B 3D 20|str|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|",distance 0; content:"a|3D|r|2E|createTextRange|28 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|",distance 0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|",distance 0; content:"s|2B 3D|s|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled",nocase; content:"cloneNode|28 29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"for",nocase; content:"i=0|3B| i<20|3B| i++",within 30; content:"document.location.href=fileURL",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7",nocase; content:"adong7",distance 0,nocase; content:"datasrc",distance 0,nocase; content:"datafld",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; content:"content=",nocase; content:".postMessage("; pcre:"/<\s*?meta\s+.*?(http-equiv=(?P<q1>[\x22\x27])\s*?X-UA-Compatible\s*?(?P=q1).*?[^>]content=(?P<q2>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q2)|content=(?P<q3>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q3).*?[^>]http-equiv=(?P<q4>[\x22\x27])\s*?X-UA-Compatible\s*(?P=q4)).*?(\w\x2epostMessage\x28\s*.*?\x5c0.*?\x29|var\s+(?P<var>\w+)\s*?=\s*?(?P<q5>[\x22\x27]).*?[^\x3b]\x5c0.*?\x3b.*?\w\x2epostMessage\x28\s*?(?P=var))/imsO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23128; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open",nocase; content:".location",nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB",nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|",nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; content:"onclick=",nocase; content:"event",nocase; content:"srcelement.",distance 0,nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|",nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|",nocase; content:"|2E|clearAttributes|28 29|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+\x22http/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,osvdb.org/show/osvdb/47414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE",nocase; content:"onstart",distance 0,nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|",distance 0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|",distance 0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<800; file_data; content:"<html>",nocase; content:"createElement",distance 0,nocase; content:"cloneNode",nocase; content:"clearAttributes",nocase; content:"CollectGarbage",nocase; content:"</html>",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode",nocase; content:"clearAttributes",distance 0,nocase; pcre:"/(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; content:"innerHTML",distance 0; pcre:"/createEventObject[^\x7D]+innerHTML\s*\x3D\s*\S+[^\x7D]+(setTimeout|setInterval)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; http_header; content:"|0A|Location|3A|",nocase; content:"file|3A|//127.0.0.1",distance 0,fast_pattern; pcre:"/^Location\x3a[^\n]*file\x3a\x2f\x2f127\x2e0\x2e0\x2e1/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior",nocase; content:"url|28 23|default|23|userData|29|",distance 0,nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution"; flow:to_client,established; file_data; content:"event.boundElements"; content:"window.close"; pcre:"/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')",nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize",within 100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML user after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|",nocase; content:"ect|28|n|2C 27 27 29|",distance 0,nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML(",fast_pattern,nocase; content:"expression(",within 100,nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|radio|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|checkbox|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|image|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>",nocase; content:"<isindex>",distance 0,fast_pattern,nocase; content:"<style>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc",nocase; content:"datafld",nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration",nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20766; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|",nocase; content:"content|3D 22|IE|3D|8|22|",distance 0,nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style",nocase; content:"document.styleSheets[0].rules[0].style",distance 0,nocase; content:"document.styleSheets[0].cssText",distance 0,nocase; content:".font",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>",nocase; content:"<table style=|22|float|3A|left|3B 22|>",within 60,nocase; content:"</table>",within 20,nocase; content:"</span>",within 40,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"res=document.getElementById|28|'column'|29 3B|"; content:"res.onpropertychange=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0244; classtype:misc-activity; sid:16376; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"var arr1=new Array",distance 1; content:"history.go|28|arr1[1]|29|",distance 1; content:"arr1[i] += temp",distance 1; content:"</script",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|",distance 0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location",distance 0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|",within 40; content:"<marquee",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]",nocase; content:"document.createElement(|27|TR|27|)",distance 0,nocase; content:"appendChild(tr)",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"function doMouseLeave",fast_pattern,nocase; content:"window|2E|event|2E|srcElement",within 100,nocase; pcre:"/doMouseLeave[^\x7D]*([^\x7D\s]*)\s*\x3D\s*window\x2Eevent\x2EsrcElement[^\x7D]*\1\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^",fast_pattern,nocase; content:!"==",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"-XXaltjvm"; content:"launchjnlp",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:5; )
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24203; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24205; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; content:"onload=",nocase; content:"onselect=",within 50,nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body",nocase; content:"onselect=",within 50,nocase; content:"selectAll"; content:"document.write",nocase; content:"execCommand",nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>",nocase; content:"execCommand(",distance 0; content:"</script>",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"<iframe",nocase; content:!"src=",within 40; content:"></iframe"; content:"window.open",nocase; content:"name",nocase; pcre:"/<iframe[^>]+name\s*=\s*[\x22\x27](?P<iframe_name>\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26136; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_server,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26138; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-1016; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26571; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:26584; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_server,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26625; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()",within 100; content:"history.go(0)"; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26631; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement|28|",nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26635; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26642; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload",within 25; content:"iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26754; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{",within 10; content:"obj,obj,obj,obj,obj"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_server,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26846; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26935; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26936; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26937; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject",nocase; content:"TDCCtl.TDCCtl",distance 0,fast_pattern,nocase; content:"DataURL",nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P<q1>\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"DataURL",nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:16; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|",nocase; content:"unescape|28|",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"<param",distance 0,nocase; content:"DataURL",distance 0,nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/<param[^>]+(name\s*=\s*(?P<q2>\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P<q3>\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:14; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:13; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; content:"cdda|3A 2F 2F|",nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; pcre:"/(?P<c>\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:12; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:13; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:16; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll",nocase; content:"General_ServerName",nocase; content:!">",within 1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:8723; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:9820; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs",nocase; content:"MemberwiseClone",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + ",nocase; content:"sBoF",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26193; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26194; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|",nocase; content:"--renderer-path|3D|",nocase; content:"%20--no-sandbox%20"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:"<url"; content:"http://",within 100; isdataat:1024,relative; content:!"</url",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1602; classtype:attempted-user; sid:26421; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26497; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26498; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26524; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26525; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26573; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26574; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26646; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26647; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; content:"Fakedriver",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58504; reference:cve,2013-1488; reference:url,osvdb.org/show/osvdb/91472; classtype:attempted-user; sid:26899; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|",distance 0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|",distance 0; content:"document.body.offsetTop|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|",distance 0; content:"window|2E|getSelection|28 29 2E|removeAllRanges",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM",nocase; content:".innerHTML|20 3D|",distance 0,nocase; content:"document.createRange|28 29 3B|",distance 0,nocase; content:".extractContents|28 29 3B|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout",nocase; content:"document.body.innerHTML",distance 0,nocase; content:"document.getElementById(",distance 0,nocase; content:".innerHTML",distance 0,nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe",fast_pattern,nocase; content:"height|3D|",within 50,nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,osvdb.org/show/osvdb/77908; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; http_header; content:"Accept-Encoding: identity, *|3B|q=0"; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++",within 20,nocase; content:"}catch(",within 10,nocase; content:"}catch(",within 50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|",within 20; content:".jar",within 20; content:"<param/nam=",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"?page="; pcre:"/\?page\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole landing page request - tkr"; flow:to_server,established; http_uri; content:".php?"; content:"src=",distance 0; content:"&gpr=",distance 0; content:"&tkr=",distance 0,fast_pattern; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<h",nocase; content:"><b>Please wait a moment. You will be forwarded..",within 54,distance 1,nocase; content:"</h",within 10; content:"></b>|0D 0A|",within 7,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch(",distance 0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"src.php?case="; pcre:"/src.php\?case\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t=",distance 0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php"; flow:to_server,established; http_uri; content:"/Index/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:"/Home/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole possible landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Applet landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive=",distance 0; content:"code=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please  Wait....  </h1>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; http_uri; content:"adp",fast_pattern; content:".php?",within 5,distance 1,nocase; pcre:"/adp\d?\.php\?[fe]=/"; flowbits:set,blackhole.pdf; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; pcre:"/(,\d{1,3}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; pcre:"/(#\d{1,2}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit binary download"; flow:to_server,established; http_uri; content:"/g/",depth 3; http_raw_uri; bufferlen:47; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit landing page"; flow:to_server,established; http_uri; content:"/index.php?"; http_raw_uri; bufferlen:43; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI possible Blackhole URL - search.php?page="; flow:to_server, established; http_uri; content:"/search.php?page="; pcre:"/search\.php\?page=[a-f0-9]{16}$/"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; http_uri; content:"/pdf.php?pdf="; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; http_header; content:"?spl="; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Repeated Exploit Request Pattern"; flow:to_server,established; http_uri; content:"images.php?t="; pcre:"/^images.php\?t=\d{2,7}$/"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit Java Exploit request to .class file"; flow:to_server,established; http_uri; content:".class"; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:".jar"; pcre:"/^\/[0-9]{5}\.jar$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:".html"; pcre:"/^\/[0-9]{8}\.html$/"; flowbits:set,kit.redkit; flowbits:noalert; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2008-2992"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call attempt"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-1297"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-2884"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-80-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-90-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842Helper"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-3552"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=JavaSignedApplet"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|",fast_pattern; content:"<param name=|22|WINDOWS|22| value=",distance 0,nocase; content:"<param name=|22|OSX|22| value=",distance 0,nocase; content:"<param name=|22|LINUX|22| value=",distance 0,nocase; content:"<param name=|22|64|22| value=",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:23106; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; http_uri; content:"/stat2.php?w=",nocase; content:"i=",distance 0,nocase; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; http_header; content:"?spl=2"; http_uri; content:"/pdf.php"; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; http_uri; content:"load.php?spl="; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+</title>/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; http_uri; content:"/load.php?spl="; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090",within 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 - Landing Page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?",distance 0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write(",within 30; content:"php?",within 75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?action=",nocase; content:"&h=",distance 0,nocase; pcre:"/\&h=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; pcre:"/setup=[a-z]$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; content:"&s=",distance 0,nocase; content:"&r=",distance 0,nocase; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script",nocase; content:"|3D 22|constructor|22 3B|var|20|",distance 0,fast_pattern,nocase; content:"|27 3B|var appVersion_var|3D 22|",distance 0,nocase; content:"].apply(document_body_var,[",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole v2 fallback executable download"; flow:to_server,established; http_uri; content:"/adobe/update_flash_player.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=new Array(",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=window[",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div ",depth 60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/column.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible redirection attempt"; flow:to_server,established; http_uri; content:"/i.php?token="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"j.php?t=u"; http_header; content:"content-type"; content:"x-java-archive|0D 0A|",distance 0; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit download"; flow:to_client,established; http_header; content:" filename="; content:".jar|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit request structure"; flow:to_server,established; http_uri; content:"p3.php?t=u"; content:"&oh=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit download attempt"; flow:to_client,established; http_header; content:"application/pdf"; content:"Content-Disposition|3A| inline|3B| filename="; content:".pdf|0D 0A|",distance 0; pcre:"/filename=[a-z0-9]{12}[0-9]{12}\.pdf/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable request"; flow:to_server,established; http_uri; content:"load.php?e=u"; content:"&token=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable download"; flow:to_client,established; http_header; content:" filename="; content:".exe|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin Exploit Kit Java Class download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"GondadGondadExp.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; http_header; content:"|3B 20|filename|3D|",nocase; content:".jar",within 4,distance 8,nocase; pcre:"/filename\x3d\w{8}\.jar/i"; file_data; pkt_data; content:"PK|03 04|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|",within 12,distance 6; content:"|22| width|3D 22|",within 12,distance 9; content:"|22| height|3D 22|",within 12; content:"|0D 0A|<param",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost Exploit Kit outbound JAR download attempt"; flow:to_server,established; http_uri; content:"?s="; content:"&m=",within 3,distance 1; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>",within 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>",within 11; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"))|3B|}}return this|3B|}",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection attempt"; flow:to_server,established; http_uri; content:"/build2/serge/opafv.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound payload request"; flow:to_server,established; http_uri; content:".php?j=1&k="; http_header; content:" Java/1"; http_uri; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection"; flow:to_server,established; http_uri; content:"/build/agrde/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; http_header; content:"User-Agent|3A 20|"; content:"Java/1.",fast_pattern; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit"; flow:to_client,established; flowbits:isset,java_user_agent; http_header; content:!"FTB_Launcher.exe",nocase; content:"filename="; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 url structure detected"; flow:to_server,established; http_uri; content:".php?"; content:"|3A|",within 7,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; pkt_data; content:"&",distance 0; http_uri; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit requesting payload"; flow:to_server,established; http_uri; content:"/f.php?k="; pcre:"/\/f\.php\?k=\d/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25045; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j16.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j17.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Library exploit download"; flow:to_server,established; http_uri; content:"/lpdf.php?i="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/pdfx.html"; pcre:"/\/pdfx\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit exe outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>150; http_uri; content:"/getmyfile.exe?o=1&h="; pcre:"/\/[a-zA-Z0-9]{150,}\/getmyfile\.exe\?o=1\&h=11$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//",within 75,distance 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"<div class=|27|"; content:"=)</div>",within 45; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25324; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit malicious jar file dropped"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"mac.classPK",nocase; content:"test.classPK",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25382; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.exe"; flow:to_client,established; http_header; content:"filename="; content:"info.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - contacts.exe"; flow:to_client,established; http_header; content:"filename="; content:"contacts.exe",within 13,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - calc.exe"; flow:to_client,established; http_header; content:"filename="; content:"calc.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - about.exe"; flow:to_client,established; http_header; content:"filename="; content:"about.exe",within 10,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - readme.exe"; flow:to_client,established; http_header; content:"filename="; content:"readme.exe",within 12,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/public_version.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|",within 15,distance 5; content:".class|22|  width=|22|",within 30,distance 5; content:"|22| height=|22|",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 12,distance 1; content:"width=|22|100|22| height=|22|100|22|>",within 50; content:"<param name|22|guid"; content:"|22| value=|22|",within 10; content:"<param name=|22|thread"; content:"|22| value=|22|",within 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; http_raw_uri; bufferlen:6; http_uri; content:"/"; content:".jar",within 4,distance 1; pcre:"/\/\[fx]\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; http_uri; content:"/load.php?guid=",nocase; content:"&thread=",distance 0,nocase; content:"&exploit=",distance 0,nocase; content:"&version=",within 9,distance 1,nocase; pkt_data; content:"&rnd=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| ",distance 0; content:".style.position = |27|absolute|27 3B|",distance 0; content:".style.border = |27|0|27 3B| ",distance 0; content:".style.height = |27|1px|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25558; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT JDB Exploit kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>33; http_uri; content:"/jdb/inf.php?id="; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data",within 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{32}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 Exploit Kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole v2 landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch(",within 50; content:"}try{if(",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/news.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Oracle Java Unknown exploit kit java dropped file"; flow:to_client,established; file_data; content:"PK",depth 2; content:"XHbNaqRg.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25651; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit initial redirection successful"; flow:to_server,established; http_uri; content:"/?java="; pcre:"/\/\?java\=[0-9]{2,4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; http_uri; content:"/Java"; content:".jar?java="; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Whitehole Exploit Kit landing page"; flow:to_client,established; file_data; content:"document.write (|27|<iframe src=http|3A 2F 2F|"; content:".jar?java=98 width=10 height=10><param name=http value="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<html><head><title>Please Wait...</title></head><body><script>function"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt"; flow:to_server,established; http_uri; content:"/js/rdps.js"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious PDF retrieval"; flow:to_server,established; http_uri; content:"/p5.php?t="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V5 exploit download"; flow:to_server,established; http_uri; content:"/j15.php?i="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious payload retrieval"; flow:to_server,established; http_uri; content:"/i8.php?jquery="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit PDF exploit"; flow:to_server,established; http_uri; content:"/world/",depth 7,fast_pattern; content:".pdf",distance 0,nocase; http_header; content:"Referer|3A 20|"; http_uri; pcre:"/\/world\/[^\x2f]*\.pdf/i"; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25857; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit Java exploit download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25858; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet"; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25860; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"arttqa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25861; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"cpnakc.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25862; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25948; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"try{document.body++|3B|}catch(q){"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25952; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<div id=|22|heap_allign|22|></div>|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25953; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit former location - has been removed"; flow:to_client,established; file_data; content:"<b>ERROR 404 CONTENT</b>"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25960; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT g01pack browser check attempt"; flow:to_client,established; file_data; content:"|21 28 2F 28|Firefox|7C|Chrome|7C|Linux|7C|Mac OS|29 2F|.test|28|navigator.userAgent|29 29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:25982; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; http_uri; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch(",within 15; content:"{try{",within 20; content:"}catch(",within 20; content:"=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; http_uri; content:".php?action=stats_access"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; http_uri; content:".php?action=stats_javaon"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; http_uri; content:"/amor",fast_pattern; content:".jar",within 6; http_header; content:" Java/"; http_uri; pcre:"/^\/amor\d{0,2}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"amor.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26037; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jhan.jar?r="; pcre:"/^\/jhan.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jmx.jar?r="; pcre:"/^\/jmx.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Plugin.cpl"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/x4.gif"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; http_uri; content:".php?action=stats_loaded"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Instal.jpg"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; http_uri; content:".php?action=jv&h="; pcre:"/\.php\?action=jv\&h=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; http_uri; content:".php?setup=d&s="; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head></head><body><applet code=|22|hw|22| archive=|22|http|3A|//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26046; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh|22| content=|22|0|3B|url=http|3A 2F 2F|"; content:"|22|></meta></head></html>",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26047; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx Exploit Kit Landing Page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|",within 25; content:"|22 20|name=|22|",within 25; content:"|22|>|0D 0A|<param name=|22|",within 25; content:"|22 20|value=|22|http|3A 2F 2F|",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit landing page "; flow:to_client,established; file_data; content:"<applet code=|22|MyApplet.class|22| archive=|22|http|3A 2F 2F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:26091; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{",within 50; content:"}catch(",within 50; content:"|3B|n=|5B|",within 100; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"Foo.classPK"; content:"JPlayer.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1723; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26097; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"JHelper.datPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26098; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|",within 100; content:"<script src=|22|",distance 0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{16}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code=|22|MyApplet"; content:"|22|></applet><",distance 0; pcre:"/code\=\x22MyApplet(\.class)?\x22><\/applet/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26228; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool exploit kit MyApplet class retrieval"; flow:to_server,established; http_raw_uri; bufferlen:21; pkt_data; content:"/world/MyApplet.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26229; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|",within 25; content:".class|22|",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|",distance 0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code="; content:"Applet|22|></applet><",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26254; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit malicious jar download"; flow:to_client,established; file_data; content:"MyApplet$MyBufferedImage.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26256; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 82 ( msg:"EXPLOIT-KIT Sakura Exploit Kit exploit request"; flow:to_server,established; content:"/news/thing.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26293; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 50; content:"|22| name=|22|",within 50; content:"<param name=|22|",within 20,distance 5; content:"|22| value=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|",within 25; content:"location.href=",within 250; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(gdsg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval - ff.php"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/ff.php"; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code=",within 100; content:" archive=",within 100; content:"http|3A 2F 2F|",within 50; content:".jar",distance 0; content:" codebase=",distance 0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt",within 11,distance 1; content:">|3A|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id",within 6,distance 1; content:"<param name=",distance 0; content:"Play",within 4,distance 1; content:" value=",within 7,distance 1; content:"0",within 1,distance 1; content:"><embed src=",distance 1; content:"http|3A 2F 2F|",within 8,distance 1; content:".swf"; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Application.class",within 17,distance 1; content:">",within 1,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?h="; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".html"; http_header; content:" Java/1",fast_pattern; http_uri; pcre:"/\/\d{2}\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; http_header; content:"filename=setup.exe"; file_data; pkt_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit successful redirection"; flow:to_server,established; http_uri; content:"/count"; content:".php",within 4,distance 2; pcre:"/\/count\d{2}\.php$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Java.class",within 10,distance 1; content:">",within 1,distance 1; content:"<param name=",distance 0; content:"name",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".jar"; http_header; content:" Java/1"; pkt_data; content:"content-type|3A| application/x-java-archive",fast_pattern,fast_pattern_offset 20,fast_pattern_length 20; http_uri; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?i="; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?j="; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; content:"test.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit jar file redirection"; flow:to_client,established; file_data; content:"<body><applet archive="; content:"http|3A 2F 2F|",within 8,distance 1; content:".jar",distance 0; content:"code=",distance 0; content:"hw",within 2,distance 1; content:"></applet>",within 10,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26506; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"(window[|22|qgq|22|](new Array("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26507; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.dll"; flow:to_client,established; http_header; content:"filename="; content:"info.dll",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class",distance 0; content:"Bottom11.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit pdf payload detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"evrewrwervwe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26510; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle",within 8,distance 1; content:" src=",within 5,distance 1; content:"http|3A 2F 2F|",within 7,distance 1; content:" height=",within 250; content:"frameborder=0></iframe>",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Big.class"; content:"Big010.class",distance 0; content:"Big011.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26512; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|",distance 0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ",depth 2; isdataat:62,relative; content:"|2F 2A 14 20|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; http_uri; content:"/info/last/index.php"; http_header; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Stamp Exploit Kit portable executable download"; flow:to_server,established; http_uri; content:"/elections.php?"; http_header; content:" Java/1."; http_uri; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value=",distance 0; content:"PD",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Stamp Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet  archive="; content:".jar",within 30,distance 5; content:"  code=",within 30; content:".class",within 30,distance 5; content:" width=",within 30; content:"  height=",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Multiple Exploit kit successful redirection - jnlp bypass"; flow:to_server,established; http_uri; content:"php?jnlp="; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; http_header; content:".com-"; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/i"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26562; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|",depth 100; content:".charCodeAt|28|",distance 0; content:"</script>id=",within 64,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Mutiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:"<applet"; content:"archive=",distance 0; content:" code=",within 25; content:" width=",within 25; content:" height=",within 25; content:"<param",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26804; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short jar request"; flow:to_server,established; http_uri; content:".jar"; http_header; content:" Java/1."; content:"content-type|3A| application/x-java-archive"; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jar$/"; http_header; content:!"cbssports.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26814; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange landing page in.php base64 uri"; flow:to_server,established; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26838; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js",distance 1; content:"AdobeReader",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j161.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j07.php?i="; http_header; content:" Java/1.7"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Plugin detection response"; flow:to_server,established; http_uri; content:"/gate.php?ver="; content:"&p=",distance 0; content:"&j=",distance 0; content:"&f=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit malware download"; flow:to_server,established; http_uri; content:"/load.php?e="; content:"&ip=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=atom.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=site.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0",within 1,distance 1; content:" height=",within 8,distance 1; content:"0",within 1,distance 1; content:" code=",within 6,distance 1; content:"site.avi",within 8,distance 1,nocase; content:" archive=",within 9,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=s"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:26950; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache Exploit Kit Malvertising Campaign URI request"; flow:to_server,established; http_uri; content:"/.cache/?f=",fast_pattern; content:".jar"; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; http_uri; content:".php?exp=byte&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; http_uri; content:".php?exp=lib&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; http_uri; content:".php?exp=atom&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; http_uri; content:".php?exp=rhino&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Zuponcic Exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1",within 11,distance 1; content:"scrolling="; content:"no",within 2,distance 1; content:"src=",within 4,distance 2; content:"http|3A 2F 2F|",within 7,distance 1; content:"mt",within 50,distance 10; content:" id=",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26960; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>"; content:"var",within 3,distance 1; content:"document.createElement"; content:"iframe",within 6,distance 2; content:".setAttribute(",distance 0; content:"document.body.appendChild(",distance 0,fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26961; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26962; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; http_uri; content:".php?b="; content:"&v=1.",distance 0; pcre:"/\.php\?b=[A-F0-9]+&v=1\./"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26985; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; http_header; content:"filename="; content:"mp3",within 25; content:"|0D 0A|",within 4; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27005; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|",within 100; content:"{a={plugins|3A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27026; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jorg"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jorg.html"; pcre:"/\/jorg\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jlnp"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jlnp.html"; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jovf"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jovf.html"; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27068; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27069; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{16}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{32}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ff_svg/1.bin"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ie_exec/2.html"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/flash_atf/",fast_pattern; content:".swf",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/jmxbean/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/rhino/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class",distance 0; content:"|00|inc.class",distance 0; content:"|00|fdp.class",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27085; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var ",fast_pattern; content:"document.createElement(",within 80; content:".setAttribute(|22|archive|22|, ",within 65; content:".setAttribute(|22|codebase|22|, ",within 65; content:".setAttribute(|22|id|22|, ",within 65; content:".setAttribute(|22|code|22|, ",within 65; content:"|22|)|3B 0A|document.body.appendChild(",within 65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27086; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|",within 25; content:".value.length|3B|",within 100; content:".value.substr(",distance 0; pcre:"/for\x28(?P<var>\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27106; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27107; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27108; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27109; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27110; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload"; flow:to_client,established; http_header; content:"filename="; content:".exe",within 4,distance 4; pcre:"/filename\=\d{4}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09|    var"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Private Exploit Kit outbound traffic"; flow:to_server,established; http_uri; content:".php?"; http_header; content:"content-type: application/"; content:" Java/1"; http_uri; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/i"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27241; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:27242; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27273; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"/rhino.php?hash="; http_header; content:"content-type"; content:"java-archive"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27274; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27592; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows afd.sys kernel-mode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 45 FC 50 6A|"; byte_test:1,>,24,0,relative; content:"|8D 8D A0 FD FF FF 51 68 BB 20 01 00 8B 55 F8 52 FF 15 18|"; content:"|40 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-080; classtype:attempted-admin; sid:20270; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ",depth 2; content:"JFIF",depth 4,offset 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1433; classtype:attempted-user; sid:23312; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ|2D 6C 68|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1436; classtype:attempted-user; sid:23309; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:25357; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0151; classtype:attempted-user; sid:25779; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0707; classtype:attempted-user; sid:26070; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0707; classtype:attempted-user; sid:26071; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26601; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malformed getPropertyLate actioncode attempt"; flow:to_client,established; file_data; content:",|BD 06|J|C6 01 01 80 C6 01 D6 D1 D2|O|97 06 01 D1|`|81 04|g|9D 08|f|9E 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3797; classtype:attempted-user; sid:16316; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; file_data; content:"|A3 96 56 6C 5B B4 87 59 19 DB B6 A1 6B D8 B5 53 46 59 A7 6B 69 27 43 3C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21535; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RawDataFrom(new Vector.<Number>(), 0x41414141"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21534; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Stage3D null dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7D B3 D7 78 DB 3A 2A 4D 86 B6 13 34 B8 B5 57 1E 30 E6 35 54 75 3C 1E 57|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21533; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript ASnative function remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative|00|"; content:"|96 16 00 07 03 00 00 00 07 2E 01 00 00 07 3A 08 00 00 07 02 00 00 00 08 02|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0559; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18420; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|flash.geom|06|Matrix|0B|setMaterial"; content:"|05|Point",distance 0; content:"|12|generateFilterRect|0B|applyFilter",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0578; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18503; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player content parsing execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ROPPayload|08|strToInt|09|shellcode"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44503; reference:cve,2010-3654; classtype:attempted-user; sid:18992; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|",distance 0; content:"JFIF",distance 0; content:"|FF C0|",within 256; pcre:"/^...(..)?[\x80-\xff]/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|8C 15|",within 2,distance 40; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"|19 13|",within 2,distance 383; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|",within 6,distance 900; content:"?|13 1F 00 00 00|",within 6,distance 640; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|",within 6,distance 45; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"?|13 19 00 00 00|",within 6,distance 383; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"heapspray"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; classtype:attempted-user; sid:23856; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"heapspray"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23855; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X500 DistinguishedName property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6B 3E 35 2F D7 02 D4 F0 88 41 EB 67 C7 D7 4F A8 56 8C D8 A7 C4 A5 AE AD E9 15 CF AE F7 E0 74 47|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23131; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X509 direct instantiation property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F 65 54 07 41 6C AD 12 37 3E 1A 37 A0 D9 F7 60 1F 29 07 AF FD D8 AD ED D7 08 31 52 76 8A 43 A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23130; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SecureSocket use without Connect attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3A 58 E6 FB 74 80 30 B8 BF 2C 54 5B F9 4D C8 B2 AB BA 3D 56 1C 6C F7 3D 9D D6 34 A0 52 7E F2 6A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23129; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|E2 41 76 26 4F 70 65 72 61 74 65 64 20 62 79 20 44 6F 53 57 46|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22916; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|74 F2 37 35 34 31 32 32 37 8C 4C 8C A3 B1 E3 E8 F0 22 70 3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22915; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|FF 0F AA 70 2A B7 17 2A C1 3B 77 35 50 B9 6B 07 17 16 1D 92|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22070; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|11 B3 38 36 87 2D C0 BB 20 72 7C 49 54 35 83 87 FA C3 48 10|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22069; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; file_data; content:"|FB 1A BD E9 6B F4 AE 37 BD 71 2F FA 02 BD EA 6D 5F A0 F4 8C 9D 06 A8 7A 55 CB F6 CC 39 E7 3B DF 9C 3F 7B 8A A4 DF 11 2A FE 88 50 1D A3 CE C2 32 42 E8 BB CA 2F 18 A1 DD D0 1E EC BC EE 1C 36 A6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21654; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player MP4 zero length atom attempt"; flow:to_client,established; file_data; content:"|4E 65 74 53 74 72 65 61 6D 09 72 65 70 72 6F 2E 6D 70 34 04 70 6C 61 79 0E 61 64 64 46 72 61 6D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21338; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20785; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_server,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20784; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"dear chu.doc",within 12,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20783; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"Economy.doc",within 11,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20782; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20781; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_client,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20780; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"dear chu.doc",within 12,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20779; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"Economy.doc",within 11,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20778; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript apply function memory corruption attempt"; flow:to_client,established; file_data; content:"|43 57 53 0A 2C 91 00 00 78 9C CD BD 77 60 54 D5 D6 3E 7C F6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0558; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18418; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 08 1C 99 02 00 C4 FE 96 05 00 07 0C F5 4E 15 4C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20131; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|",within 16,distance 336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|",within 16,distance 288; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19071; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_client,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|",within 16,distance 94; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:19408; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|",within 16,distance 320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|",within 16,distance 320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19080; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash authplay.dll memory corruption attempt"; flow:to_client,established; file_data; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|",distance 0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3654; reference:url,www.adobe.com/support/security/advisories/apsa10-05.html; classtype:attempted-user; sid:17808; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:17658; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ASnative command execution attempt"; flow:to_client, established; file_data; content:"|43 57 53 07 C5 01 00 00 78 DA 74 50 B1 4E C3 30 14 BC 38 A1 71 11 2A 52 55 29 0C FD 81 2E 2C B0 A2 B6 54 42 62 68 1A B5 1D BA 45 A6 44 25 22 89 A3 C4 20 F8 02 3A 75 8C D4 81 FF E1 9B 58 CA B3 9D 15 0F A7 77 E7 F7 CE E7 F7 01 FC 02 6C 03 0C 1C CC D8 89 4E B7 03 3A 91 43 30 EE 0D 08 A9 8A E2 38 12 DB 57 B1 4B EA EB F5 9B 92 38 F5 6E 74 43 B4 DF E0 1C 46 89 77 99 7C 12 19 44 5A 89 B2 4C 8B 5A 89 2C 4B 2A 4C 57 85 50 E9 7B 82 B8 92 52 61 2B F3 5C 14 CF 28 2B A9 A4 FA 2C 13 E4 22 2D 40 23 D4 B9 4A 54 54 C9 F2 21 13 BB 1A 0D 03 C7 B0 DF FF 66 F8 31 C4 19 1A E9 C0 75 3E 36 82 40 73 05 CE 7C 1D C4 C2 91 AE 7C 46 55 DB EB 2E 1B 07 EE 52 5B DC 1A 0B CF C8 67 A1 1D D4 9D 16 FE 19 0C BE C8 76 D1 78 F0 C0 3B 21 11 27 B0 C4 3F 5C E8 BD B8 23 B0 7C 8B 41 9B B5 E9 82 73 5F A7 E3 98 2C 16 CD A5 8D C5 3C C7 77 B5 D8 BD 0B 30 76 EF A9 DC 0F C9 65 BE 9E AE 66 F1 7C FA 18 42 BD A4 B5 5D A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:17606; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player and Reader remote code execution attempt"; flow:to_client,established; file_data; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|",depth 160,offset 144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|",within 16,distance 352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|",within 16,distance 240; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2884; reference:url,www.adobe.com/support/security/advisories/apsa10-03.html; classtype:attempted-user; sid:17257; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; file_data; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|",depth 64; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Flash ActionScript getURL target null reference attempt"; flow:to_server,established; http_uri; content:".swf?",nocase; content:"&TARGET=",within 20,nocase; pcre:"/\x26TARGET\x3d\x5f(blank|parent|top)/si"; content:"&REDIR=javascript",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2012-0772; reference:url,adobe.com/support/security/bulletins/apsb12-07.html; classtype:denial-of-service; sid:21653; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_client,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16634; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Speex-encoded audio buffer underflow attempt"; flow:to_client,established; file_data; content:"|A9 FC EB C4 44 EA 39 DC C2 E6 7A 38 85 81 71 46 3B 43 B6 E8 69 30 D5 77 47 47 A1 DE 99 B6 32 A2 7B D4 DA AD 90 AF 76 EB F4 B0 8D 3F F2 66 C5 06 3B 18 ED 9C 13 2E 42 BB 18 50 C2 ED D2 AE 33 B2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2130; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20181; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 buffer overflow attempt"; flow:to_client,established; file_data; content:"|E9 3F 00 00 00 00 00 00 D0 3F 33 33 33 33 33 33 E3 3F 7B 14 AE 47 E1 7A A4 3F 66 66 66 66 66 66 F6 3F 9A 99 99 99 99 99 B9 3F EB 09 00 07 42 6F 6F 6C 65 61 6E 04 76 6F 69 64 03 69 6E 74 0B 66|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2415; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19683; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19682; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempet"; flow:to_client,established; file_data; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi"; content:"|99 08|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32896; reference:cve,2008-5499; classtype:attempted-user; sid:15869; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"FLV|01|",depth 4; content:"|17|",within 1,distance 9; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21655; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_client,established; file_data; content:"|04 01 08 32 4E 96 04 00 04 01 08 2D 4E 4E 96 09 00 03 49 12 9D 02 00 09 00 96 04 00 04 01 08 08 4E 3E 96 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0209; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17142; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player undefined tag exploit attempt"; flow:to_client,established; file_data; content:"|46 57 53 0A 9A 04 00 00 78 00 03 E8 00 00 0F A0 00 00 E8 01 00 44 11 08 00 00 00 3F 12 69 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2214; classtype:attempted-user; sid:18805; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash invalid data precision arbitrary code execution exploit attempt"; flow:to_client,established; file_data; content:"|0C 0C FF C0 00 11 88 00 96 00 71 03 01 11 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2216; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17141; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_server,established; file_data; content:"FWS"; content:"</rdf:RDF>",distance 0; content:"kern",within 500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23854; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; content:"</rdf:RDF>",distance 0; content:"kern",within 500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23853; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_server,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|",within 16,distance 94; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:23592; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_server,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23579; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23265; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23264; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH embedded Shockwave dropper download"; flow:to_client,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18543; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH embedded Shockwave dropper in email attachment"; flow:to_server,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18544; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1E 3E 95 0F 29 8B 36 33 45 A4 1C F6 43 97 12 71 58 FF 44|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:24142; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; reference:url,www.securityfocus.com/archive/1/524143/30/0/threaded; classtype:attempted-user; sid:24244; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; reference:url,www.securityfocus.com/archive/1/524143/30/0/threaded; classtype:attempted-user; sid:24245; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; isdataat:!624; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24362; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; isdataat:!624; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24364; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24366; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24367; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|92|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24428; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|92|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24429; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|94|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24430; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|94|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24431; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe OpenAction crafted URI action thru Firefox attempt"; flow:to_client,established; file_data; content:"|2F|OpenAction|20 3C 3C|"; pcre:"/[^\x3e]{0,300}\x2fURI \x28data/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18447; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24810; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24811; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24812; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24813; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24875; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24876; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24877; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_client, established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|",within 1,distance 4; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24890; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_server, established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|",within 1,distance 4; metadata:policy balanced-ips drop,service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24893; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24895; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24896; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS",depth 3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24980; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS",depth 3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24981; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24982; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24983; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24985; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24986; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5678; classtype:attempted-user; sid:24989; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5678; classtype:attempted-user; sid:24990; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24991; rev:1; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24992; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Shockwave Flash Flex authoring tool XSS exploit attempt"; flow:to_server,established; http_uri; content:"/EncDecUtils.swf|3F|",fast_pattern; content:"resourceModuleURLs=",nocase; content:"http",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2461; reference:url,www.adobe.com/support/security/bulletins/apsb11-25.html; classtype:attempted-admin; sid:20610; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25676; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25677; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25678; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25679; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|",within 4,distance -10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|",within 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25681; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|",within 4,distance -10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|",within 2; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25683; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|",depth 16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|",within 16,distance 560; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25815; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_server,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|",depth 16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|",within 16,distance 560; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25816; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:25835; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|",distance 0; content:"swLiveConnect=true",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26000; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|",distance 0; content:"swLiveConnect=true",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26001; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26002; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26003; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26004; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26005; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26006; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26007; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_client,established; file_data; content:"www.mypagex.com/fileshare/questions/"; content:"explorer.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26008; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_server,established; file_data; content:"www.mypagex.com/fileshare/questions/"; content:"explorer.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26009; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|",within 16,distance 336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|",within 16,distance 288; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26110; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|",within 16,distance 320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26111; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|",within 16,distance 320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26112; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF malformed HTML text null dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26687; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF malformed HTML text null dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26688; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF remote memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26982; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF remote memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26983; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27182; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27183; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27184; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27185; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27186; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27187; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27265; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27266; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27267; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27268; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 B3|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20450; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 BA|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20451; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_client,established; file_data; content:".RMF",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20456; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_client,established; file_data; content:"GIF8",depth 4,fast_pattern; content:"a",within 1,distance 1; flowbits:set,file.gif; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20459; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"ID3",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20460; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; flowbits:set,file.ogg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20462; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20463; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20464; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20465; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20466; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20467; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20468; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20469; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_client,established; file_data; content:"RIFX",depth 4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20471; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; flowbits:set,file.elf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20477; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20478; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"|FF FB 90|",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20481; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20483; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24455; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24456; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; flowbits:set,file.rtf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20486; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_client,established; file_data; content:"|CA FE BA BE|",depth 4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20492; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_client,established; file_data; content:"|CA FE D0 0D|",depth 4; flowbits:set,file.class; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20493; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20494; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"CWS",depth 3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20495; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FWS",depth 3; byte_test:1,<,20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|",within 4,distance 1; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20496; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20497; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moov",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20500; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"ftyp",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20501; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mdat",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20502; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"free",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20503; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"XFIR",depth 4; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20507; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_client,established; file_data; content:"ER|02 00|",depth 4; flowbits:set,file.dmg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20514; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY rmf file download request"; flow:to_server,established; http_uri; content:".rmf",nocase; pcre:"/\x2Ermf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20518; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_client,established; file_data; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,file.xls; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:12283; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|",depth 16; flowbits:set,file.asf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:12454; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Works file download request"; flow:to_server,established; http_uri; content:".wps"; pcre:"/\x2ewps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.works; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_works; classtype:misc-activity; sid:13465; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Publisher file download request"; flow:to_server,established; http_uri; content:".pub"; pcre:"/\x2epub([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pub; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; classtype:misc-activity; sid:13473; rev:16; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_client,established; file_data; content:"ID|3B|P",depth 4,nocase; content:"|0A|",within 3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|",within 4; flowbits:set,file.slk; flowbits:noalert; metadata:service http,service imap,service pop3; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13585; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; http_uri; content:".rtf"; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rtf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:16; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY EPS file download request"; flow:to_server,established; http_uri; content:".eps"; pcre:"/\x2eeps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eps; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Encapsulated_PostScript; classtype:misc-activity; sid:13983; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; http_uri; content:".pdf"; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pdf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY WAV file download request"; flow:to_server,established; http_uri; content:".wav"; pcre:"/\x2ewav([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wav; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Wav; classtype:misc-activity; sid:15079; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file download request"; flow:to_server,established; http_uri; content:".xspf"; pcre:"/\x2exspf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xspf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Xspf; classtype:misc-activity; sid:15158; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Java .class file download request"; flow:to_server,established; http_uri; content:".class"; pcre:"/\x2eclass([\?\x5c\x2f]|$)/smi"; flowbits:set,file.class; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Java_class_file; classtype:misc-activity; sid:15237; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rm"; pcre:"/\x2erm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15239; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rv"; pcre:"/\x2erv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15240; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Visio file download request"; flow:to_server,established; http_uri; content:".vsd"; pcre:"/\x2evsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visio; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15294; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file download request"; flow:to_server,established; http_uri; content:".ppt"; pcre:"/\x2eppt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ppt; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_PowerPoint; classtype:misc-activity; sid:15586; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".doc"; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:15; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft multimedia format file download request"; flow:to_server,established; http_uri; content:".wma"; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wma&file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Media_Audio; classtype:misc-activity; sid:15921; rev:15; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp3; classtype:misc-activity; sid:15922; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY DXF file download request"; flow:to_server,established; http_uri; content:".dxf"; pcre:"/\x2edxf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dxf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Dxf; classtype:misc-activity; sid:15987; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY X PixMap file download request"; flow:to_server,established; http_uri; content:".xpm"; pcre:"/\x2expm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xpm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/X_PixMap; classtype:misc-activity; sid:16061; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_client,established; file_data; content:"0&|B2|u",depth 4; flowbits:set,file.asf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:16143; rev:17; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TrueType font file download request"; flow:to_server,established; http_uri; content:".ttf"; pcre:"/\x2ettf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:16286; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpg"; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpeg"; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker project file download request"; flow:to_server,established; http_uri; content:".mswmm"; pcre:"/\x2emswmm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Movie_Maker; classtype:misc-activity; sid:16473; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.oless.v3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:16474; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".pjpeg"; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media ASX file download request"; flow:to_server,established; http_uri; content:".asx"; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Advanced_Stream_Redirector; classtype:misc-activity; sid:17116; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_client,established; file_data; content:"II|2A 00|",depth 4; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17229; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_client,established; file_data; content:"MM|00 2A|",depth 4; flowbits:set,file.tiff.big; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17230; rev:17; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media wmv file download request"; flow:to_server,established; http_uri; content:".wmv"; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmv; flowbits:set,file.asf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17241; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:17314; rev:15; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; http_uri; content:".png"; pcre:"/\x2epng([\?\x5c\x2f]|$)/smi"; flowbits:set,file.png; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:17380; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY GIF file download request"; flow:to_server,established; http_uri; content:".gif"; pcre:"/\x2egif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.gif; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17394; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY LNK file download request"; flow:to_server,established; http_uri; content:".lnk"; pcre:"/\x2elnk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.lnk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17441; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; http_uri; content:".xml"; pcre:"/\x2exml([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17733; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OpenType Font file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.otf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17751; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pct",nocase; pcre:"/\x2epct([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18234; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".wri"; pcre:"/\x2ewri([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18516; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY BitTorrent torrent file download request"; flow:to_server,established; http_uri; content:".torrent"; pcre:"/\x2etorrent([\?\x5c\x2f]|$)/smi"; flowbits:set,file.torrent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18593; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cpe"; pcre:"/\x2ecpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18675; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|",depth 4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; flowbits:set,file.xls; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:19166; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; http_uri; content:".zip"; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19211; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cov"; pcre:"/\x2ecov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19218; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; http_uri; content:".smi"; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; reference:url,osvdb.org/show/osvdb/74604; classtype:misc-activity; sid:20223; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_client,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; metadata:service http,service imap,service pop3; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:8478; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file download request"; flow:to_server,established; http_uri; content:".slk"; pcre:"/\x2eslk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.slk; flowbits:noalert; metadata:service http; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13583; rev:18; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Embedded Open Type Font file download request"; flow:to_server,established; http_uri; content:".eot"; pcre:"/\x2eeot([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eot; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:15518; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XBM image file download request"; flow:to_server,established; http_uri; content:".xbm"; pcre:"/\x2exbm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xbm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:17359; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".dmg"; pcre:"/\x2edmg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:17679; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY FlashPix file download request"; flow:to_server, established; http_uri; content:".fpx"; pcre:"/\x2efpx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.fpx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Fpx; classtype:misc-activity; sid:17739; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe .pfb file download request"; flow:to_server, established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:cve,2008-1806; reference:cve,2008-1807; reference:url,en.wikipedia.org/wiki/Printer_Font_Binary#Printer_Font_Binary; classtype:misc-activity; sid:16552; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows .NET Manifest file download request"; flow:to_server,established; http_uri; content:".manifest"; pcre:"/\x2emanifest([\?\x5c\x2f]|$)/smi"; flowbits:set,file.manifest; flowbits:noalert; metadata:service http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17509; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Basic script file download request"; flow:to_server,established; http_uri; content:".vbs"; pcre:"/\x2evbs([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:url,en.wikipedia.org/wiki/Vbs; classtype:misc-activity; sid:18758; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_client,established; file_data; content:".rec|00|",depth 5; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19128; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_client,established; file_data; content:".r1m",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19129; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Cisco Webex wrf file download request"; flow:to_server,established; http_uri; content:".wrf"; pcre:"/\x2ewrf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wrf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Webex; classtype:misc-activity; sid:19224; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY language.engtesselate.ln file download request"; flow:to_server,established; http_uri; content:"language.engtesselate.ln"; flowbits:set,file.engtesselate; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19252; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; http_uri; content:".ra"; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:21; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; http_uri; content:".rmp"; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:20; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; http_uri; content:".rt"; pcre:"/\x2ert([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:22; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; http_uri; content:".rp"; pcre:"/\x2erp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:21; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Address Book file magic detected"; flow:to_client,established; file_data; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-2386; reference:url,en.wikipedia.org/wiki/Windows_Address_Book; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:9639; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMIL file download request"; flow:to_server,established; http_uri; content:".smil"; pcre:"/\x2esmil([\?\x5c\x2f]|$)/smi"; flowbits:set,file.smil; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:17547; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime qt file download request"; flow:to_server,established; http_uri; content:".qt"; pcre:"/\x2eqt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17809; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file download request"; flow:to_server,established; http_uri; content:".m3u"; pcre:"/\x2em3u([\?\x5c\x2f]|$)/smi"; flowbits:set,file.m3u; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:14017; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PLS multimedia playlist file download request"; flow:to_server,established; http_uri; content:".pls"; pcre:"/\x2epls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pls; classtype:misc-activity; sid:14018; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xls"; pcre:"/\x2exls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:16; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xlw"; pcre:"/\x2exlw([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15464; rev:18; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".swf"; pcre:"/\x2eswf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:15483; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AVI multimedia file download request"; flow:to_server,established; http_uri; content:".avi"; pcre:"/\x2eavi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.avi; classtype:misc-activity; sid:15516; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP4 file download request"; flow:to_server,established; http_uri; content:".mp4"; pcre:"/\x2emp4([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.mp4; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:15865; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 4XM file download request"; flow:to_server,established; http_uri; content:".4xm"; pcre:"/\x2e4xm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.4xm; flowbits:noalert; metadata:service http; reference:url,wiki.multimedia.cx/index.php?title=4xm_Format; classtype:misc-activity; sid:15870; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MOV file download request"; flow:to_server,established; http_uri; content:".mov"; pcre:"/\x2emov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17259; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Pagemaker file download request"; flow:to_server,established; http_uri; content:".pmd"; pcre:"/\x2epmd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pmd; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pmd; classtype:misc-activity; sid:17552; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TIFF file download request"; flow:to_server,established; http_uri; content:".tif"; pcre:"/\x2etif(f)?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.tiff; classtype:misc-activity; sid:17732; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Studio DISCO file download request"; flow:to_server,established; http_uri; content:".disco"; pcre:"/\x2edisco([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/8k0zafxb(v=vs.80).aspx; classtype:misc-activity; sid:19233; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_client,established; file_data; content:"|23|EXTM3U",depth 7; flowbits:set,file.m3u; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:9845; rev:15; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CHM file download request"; flow:to_server,established; http_uri; content:".chm"; pcre:"/\x2echm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.chm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help; classtype:misc-activity; sid:3819; rev:17; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; http_uri; content:".wmf"; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:22; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QCP file download request"; flow:to_server,established; http_uri; content:".qcp"; pcre:"/\x2eqcp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.qcp; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.qcp; classtype:misc-activity; sid:20287; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_client,established; file_data; content:"Shockwave 3D"; content:"XFIR",depth 4; flowbits:set,file.dir; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:17801; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dcr"; pcre:"/\x2edcr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dcr; classtype:misc-activity; sid:17802; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XUL file download request"; flow:to_server,established; http_uri; content:".xul"; pcre:"/\x2exul([\?\x5c\x2f]|$)/msi"; flowbits:set,file.xul; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xul; classtype:misc-activity; sid:17600; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; http_uri; content:".exe"; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.exe; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:15; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dir"; pcre:"/\x2edir([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:16219; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|",within 4,distance 1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:12182; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_client,established; file_data; content:"PICT",depth 4; flowbits:set,file.pct; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:19907; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!",nocase; content:!"href=|22|http|3A|//www.hallmark.com/",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file-scan/report.html?id=bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f-1258200619; reference:url,www.virustotal.com/latest-report.html?resource=925a4a25cfa562a0330c8733cc697021; classtype:misc-activity; sid:19595; rev:4; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:6; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; )
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:4; )
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:misc-activity; sid:21475; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:21925; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; metadata:impact_flag red,policy balanced-ips drop; service:dns; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; )
+alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:3; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:misc-activity; sid:5808; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:24792; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25684; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25685; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25686; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25687; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25688; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25689; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25690; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25691; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25692; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25693; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25694; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25695; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25696; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25697; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25698; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25699; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25700; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25701; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25702; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25703; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25704; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25705; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25706; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25707; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25708; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25709; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25710; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25711; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25712; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25713; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25714; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25715; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25716; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25717; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25718; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25719; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25720; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25721; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25722; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25723; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25724; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25725; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25726; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25727; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25728; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25729; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25730; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25731; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25732; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25733; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25734; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25735; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25736; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25737; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25738; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25739; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25740; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25741; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25742; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25743; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25744; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25745; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25746; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25747; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25748; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25749; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25750; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25751; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25752; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25753; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25754; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25755; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25756; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25757; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25758; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25759; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25760; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25761; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25762; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:trojan-activity; sid:25763; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; content:"|05|suppp|0C|cantvenlinea|03|biz"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26396; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26399; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26400; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigabsh|03|org"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26401; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26402; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26403; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26404; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26405; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26406; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26407; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26408; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26409; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26554; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26555; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:dns; classtype:trojan-activity; sid:26556; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; content:"|03|ns"; content:"|0F|",within 2; content:"theimageparlour|03|net|00|",within 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:1; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:1; )
+alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild",distance 0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection",nocase; content:"|2E|invalidateSelection",distance 0,nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|",nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; file_data; content:"wOFF|00 01 00 00|"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter",nocase; content:"float: right",distance 0,nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|",distance 0; content:"delete|20|tree",distance 0; content:"delete|20|selection"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"type=",nocase; content:"file",within 7,distance 1,nocase; content:"getElement",nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe",nocase; content:"iframe.contentDocument.designMode",nocase; content:"addEventListener",nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|",distance 0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|",distance 0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22966; reference:cve,2007-1499; reference:cve,2007-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:15; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|",distance 0,fast_pattern; content:"str2|20 2B 3D 20|str|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|",distance 0; content:"a|3D|r|2E|createTextRange|28 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|",distance 0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|",distance 0; content:"s|2B 3D|s|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled",nocase; content:"cloneNode|28 29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"for",nocase; content:"i=0|3B| i<20|3B| i++",within 30; content:"document.location.href=fileURL",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7",nocase; content:"adong7",distance 0,nocase; content:"datasrc",distance 0,nocase; content:"datafld",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; content:"content=",nocase; content:".postMessage("; pcre:"/<\s*?meta\s+.*?(http-equiv=(?P<q1>[\x22\x27])\s*?X-UA-Compatible\s*?(?P=q1).*?[^>]content=(?P<q2>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q2)|content=(?P<q3>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q3).*?[^>]http-equiv=(?P<q4>[\x22\x27])\s*?X-UA-Compatible\s*(?P=q4)).*?(\w\x2epostMessage\x28\s*.*?\x5c0.*?\x29|var\s+(?P<var>\w+)\s*?=\s*?(?P<q5>[\x22\x27]).*?[^\x3b]\x5c0.*?\x3b.*?\w\x2epostMessage\x28\s*?(?P=var))/imsO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23128; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open",nocase; content:".location",nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB",nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|",nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; content:"onclick=",nocase; content:"event",nocase; content:"srcelement.",distance 0,nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|",nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|",nocase; content:"|2E|clearAttributes|28 29|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+\x22http/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,osvdb.org/show/osvdb/47414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE",nocase; content:"onstart",distance 0,nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|",distance 0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|",distance 0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<800; file_data; content:"<html>",nocase; content:"createElement",distance 0,nocase; content:"cloneNode",nocase; content:"clearAttributes",nocase; content:"CollectGarbage",nocase; content:"</html>",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode",nocase; content:"clearAttributes",distance 0,nocase; pcre:"/(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; content:"innerHTML",distance 0; pcre:"/createEventObject[^\x7D]+innerHTML\s*\x3D\s*\S+[^\x7D]+(setTimeout|setInterval)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; http_header; content:"|0A|Location|3A|",nocase; content:"file|3A|//127.0.0.1",distance 0,fast_pattern; pcre:"/^Location\x3a[^\n]*file\x3a\x2f\x2f127\x2e0\x2e0\x2e1/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior",nocase; content:"url|28 23|default|23|userData|29|",distance 0,nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution"; flow:to_client,established; file_data; content:"event.boundElements"; content:"window.close"; pcre:"/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')",nocase; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize",within 100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML user after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|",nocase; content:"ect|28|n|2C 27 27 29|",distance 0,nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML(",fast_pattern,nocase; content:"expression(",within 100,nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|radio|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|checkbox|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|image|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>",nocase; content:"<isindex>",distance 0,fast_pattern,nocase; content:"<style>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc",nocase; content:"datafld",nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration",nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20766; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|",nocase; content:"content|3D 22|IE|3D|8|22|",distance 0,nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style",nocase; content:"document.styleSheets[0].rules[0].style",distance 0,nocase; content:"document.styleSheets[0].cssText",distance 0,nocase; content:".font",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>",nocase; content:"<table style=|22|float|3A|left|3B 22|>",within 60,nocase; content:"</table>",within 20,nocase; content:"</span>",within 40,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"res=document.getElementById|28|'column'|29 3B|"; content:"res.onpropertychange=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0244; classtype:misc-activity; sid:16376; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'",within 40; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"var arr1=new Array",distance 1; content:"history.go|28|arr1[1]|29|",distance 1; content:"arr1[i] += temp",distance 1; content:"</script",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|",distance 0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location",distance 0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|",within 40; content:"<marquee",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]",nocase; content:"document.createElement(|27|TR|27|)",distance 0,nocase; content:"appendChild(tr)",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"function doMouseLeave",fast_pattern,nocase; content:"window|2E|event|2E|srcElement",within 100,nocase; pcre:"/doMouseLeave[^\x7D]*([^\x7D\s]*)\s*\x3D\s*window\x2Eevent\x2EsrcElement[^\x7D]*\1\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^",fast_pattern,nocase; content:!"==",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"-XXaltjvm"; content:"launchjnlp",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:5; )
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24203; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24205; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; content:"onload=",nocase; content:"onselect=",within 50,nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body",nocase; content:"onselect=",within 50,nocase; content:"selectAll"; content:"document.write",nocase; content:"execCommand",nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>",nocase; content:"execCommand(",distance 0; content:"</script>",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"<iframe",nocase; content:!"src=",within 40; content:"></iframe"; content:"window.open",nocase; content:"name",nocase; pcre:"/<iframe[^>]+name\s*=\s*[\x22\x27](?P<iframe_name>\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26136; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_server,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26138; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2006-1016; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26571; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:26584; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_server,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26625; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()",within 100; content:"history.go(0)"; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26631; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement|28|",nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26635; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26642; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload",within 25; content:"iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26754; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{",within 10; content:"obj,obj,obj,obj,obj"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_server,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26846; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26935; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26936; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26937; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject",nocase; content:"TDCCtl.TDCCtl",distance 0,fast_pattern,nocase; content:"DataURL",nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P<q1>\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"DataURL",nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:16; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|",nocase; content:"unescape|28|",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"<param",distance 0,nocase; content:"DataURL",distance 0,nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/<param[^>]+(name\s*=\s*(?P<q2>\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P<q3>\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:14; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:13; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; content:"cdda|3A 2F 2F|",nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; pcre:"/(?P<c>\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:12; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:13; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:16; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll",nocase; content:"General_ServerName",nocase; content:!">",within 1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:8723; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:9820; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs",nocase; content:"MemberwiseClone",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + ",nocase; content:"sBoF",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26193; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26194; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|",nocase; content:"--renderer-path|3D|",nocase; content:"%20--no-sandbox%20"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:"<url"; content:"http://",within 100; isdataat:1024,relative; content:!"</url",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-1602; classtype:attempted-user; sid:26421; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:policy security-ips drop; service:http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26497; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:policy security-ips drop; service:http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26498; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26524; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26525; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26573; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26574; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26646; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26647; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; content:"Fakedriver",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58504; reference:cve,2013-1488; reference:url,osvdb.org/show/osvdb/91472; classtype:attempted-user; sid:26899; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|",distance 0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|",distance 0; content:"document.body.offsetTop|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|",distance 0; content:"window|2E|getSelection|28 29 2E|removeAllRanges",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM",nocase; content:".innerHTML|20 3D|",distance 0,nocase; content:"document.createRange|28 29 3B|",distance 0,nocase; content:".extractContents|28 29 3B|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout",nocase; content:"document.body.innerHTML",distance 0,nocase; content:"document.getElementById(",distance 0,nocase; content:".innerHTML",distance 0,nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe",fast_pattern,nocase; content:"height|3D|",within 50,nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,osvdb.org/show/osvdb/77908; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; http_header; content:"Accept-Encoding: identity, *|3B|q=0"; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++",within 20,nocase; content:"}catch(",within 10,nocase; content:"}catch(",within 50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|",within 20; content:".jar",within 20; content:"<param/nam=",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"?page="; pcre:"/\?page\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole landing page request - tkr"; flow:to_server,established; http_uri; content:".php?"; content:"src=",distance 0; content:"&gpr=",distance 0; content:"&tkr=",distance 0,fast_pattern; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<h",nocase; content:"><b>Please wait a moment. You will be forwarded..",within 54,distance 1,nocase; content:"</h",within 10; content:"></b>|0D 0A|",within 7,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch(",distance 0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"src.php?case="; pcre:"/src.php\?case\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t=",distance 0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php"; flow:to_server,established; http_uri; content:"/Index/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:"/Home/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole possible landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Applet landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive=",distance 0; content:"code=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please  Wait....  </h1>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; http_uri; content:"adp",fast_pattern; content:".php?",within 5,distance 1,nocase; pcre:"/adp\d?\.php\?[fe]=/"; flowbits:set,blackhole.pdf; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; pcre:"/(,\d{1,3}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; pcre:"/(#\d{1,2}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit binary download"; flow:to_server,established; http_uri; content:"/g/",depth 3; http_raw_uri; bufferlen:47; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit landing page"; flow:to_server,established; http_uri; content:"/index.php?"; http_raw_uri; bufferlen:43; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI possible Blackhole URL - search.php?page="; flow:to_server, established; http_uri; content:"/search.php?page="; pcre:"/search\.php\?page=[a-f0-9]{16}$/"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; http_uri; content:"/pdf.php?pdf="; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; http_header; content:"?spl="; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Repeated Exploit Request Pattern"; flow:to_server,established; http_uri; content:"images.php?t="; pcre:"/^images.php\?t=\d{2,7}$/"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit Java Exploit request to .class file"; flow:to_server,established; http_uri; content:".class"; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:".jar"; pcre:"/^\/[0-9]{5}\.jar$/"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:".html"; pcre:"/^\/[0-9]{8}\.html$/"; flowbits:set,kit.redkit; flowbits:noalert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2008-2992"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call attempt"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-1297"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-2884"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-80-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-90-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842Helper"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-3552"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=JavaSignedApplet"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|",fast_pattern; content:"<param name=|22|WINDOWS|22| value=",distance 0,nocase; content:"<param name=|22|OSX|22| value=",distance 0,nocase; content:"<param name=|22|LINUX|22| value=",distance 0,nocase; content:"<param name=|22|64|22| value=",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:23106; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; http_uri; content:"/stat2.php?w=",nocase; content:"i=",distance 0,nocase; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; http_header; content:"?spl=2"; http_uri; content:"/pdf.php"; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; http_uri; content:"load.php?spl="; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+</title>/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; http_uri; content:"/load.php?spl="; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090",within 10; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 - Landing Page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?",distance 0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write(",within 30; content:"php?",within 75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?action=",nocase; content:"&h=",distance 0,nocase; pcre:"/\&h=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; pcre:"/setup=[a-z]$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; content:"&s=",distance 0,nocase; content:"&r=",distance 0,nocase; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script",nocase; content:"|3D 22|constructor|22 3B|var|20|",distance 0,fast_pattern,nocase; content:"|27 3B|var appVersion_var|3D 22|",distance 0,nocase; content:"].apply(document_body_var,[",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole v2 fallback executable download"; flow:to_server,established; http_uri; content:"/adobe/update_flash_player.exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=new Array(",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=window[",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div ",depth 60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/column.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible redirection attempt"; flow:to_server,established; http_uri; content:"/i.php?token="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"j.php?t=u"; http_header; content:"content-type"; content:"x-java-archive|0D 0A|",distance 0; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit download"; flow:to_client,established; http_header; content:" filename="; content:".jar|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit request structure"; flow:to_server,established; http_uri; content:"p3.php?t=u"; content:"&oh=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit download attempt"; flow:to_client,established; http_header; content:"application/pdf"; content:"Content-Disposition|3A| inline|3B| filename="; content:".pdf|0D 0A|",distance 0; pcre:"/filename=[a-z0-9]{12}[0-9]{12}\.pdf/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable request"; flow:to_server,established; http_uri; content:"load.php?e=u"; content:"&token=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable download"; flow:to_client,established; http_header; content:" filename="; content:".exe|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin Exploit Kit Java Class download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"GondadGondadExp.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; http_header; content:"|3B 20|filename|3D|",nocase; content:".jar",within 4,distance 8,nocase; pcre:"/filename\x3d\w{8}\.jar/i"; file_data; pkt_data; content:"PK|03 04|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob",within 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|",within 12,distance 6; content:"|22| width|3D 22|",within 12,distance 9; content:"|22| height|3D 22|",within 12; content:"|0D 0A|<param",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost Exploit Kit outbound JAR download attempt"; flow:to_server,established; http_uri; content:"?s="; content:"&m=",within 3,distance 1; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>",within 11; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>",within 11; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"EXPLOIT-KIT Blackholev2 landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"))|3B|}}return this|3B|}",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection attempt"; flow:to_server,established; http_uri; content:"/build2/serge/opafv.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound payload request"; flow:to_server,established; http_uri; content:".php?j=1&k="; http_header; content:" Java/1"; http_uri; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection"; flow:to_server,established; http_uri; content:"/build/agrde/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; http_header; content:"User-Agent|3A 20|"; content:"Java/1.",fast_pattern; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./"; flowbits:set,java_user_agent; flowbits:noalert; service:http; classtype:misc-activity; sid:25041; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit"; flow:to_client,established; flowbits:isset,java_user_agent; http_header; content:!"FTB_Launcher.exe",nocase; content:"filename="; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 url structure detected"; flow:to_server,established; http_uri; content:".php?"; content:"|3A|",within 7,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; pkt_data; content:"&",distance 0; http_uri; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation",within 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit requesting payload"; flow:to_server,established; http_uri; content:"/f.php?k="; pcre:"/\/f\.php\?k=\d/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25045; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j16.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j17.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Library exploit download"; flow:to_server,established; http_uri; content:"/lpdf.php?i="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/pdfx.html"; pcre:"/\/pdfx\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit exe outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>150; http_uri; content:"/getmyfile.exe?o=1&h="; pcre:"/\/[a-zA-Z0-9]{150,}\/getmyfile\.exe\?o=1\&h=11$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//",within 75,distance 10; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"<div class=|27|"; content:"=)</div>",within 45; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25324; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit malicious jar file dropped"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"mac.classPK",nocase; content:"test.classPK",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25382; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.exe"; flow:to_client,established; http_header; content:"filename="; content:"info.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - contacts.exe"; flow:to_client,established; http_header; content:"filename="; content:"contacts.exe",within 13,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - calc.exe"; flow:to_client,established; http_header; content:"filename="; content:"calc.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - about.exe"; flow:to_client,established; http_header; content:"filename="; content:"about.exe",within 10,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - readme.exe"; flow:to_client,established; http_header; content:"filename="; content:"readme.exe",within 12,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/public_version.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|",within 15,distance 5; content:".class|22|  width=|22|",within 30,distance 5; content:"|22| height=|22|",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 12,distance 1; content:"width=|22|100|22| height=|22|100|22|>",within 50; content:"<param name|22|guid"; content:"|22| value=|22|",within 10; content:"<param name=|22|thread"; content:"|22| value=|22|",within 10; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; http_raw_uri; bufferlen:6; http_uri; content:"/"; content:".jar",within 4,distance 1; pcre:"/\/\[fx]\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; http_uri; content:"/load.php?guid=",nocase; content:"&thread=",distance 0,nocase; content:"&exploit=",distance 0,nocase; content:"&version=",within 9,distance 1,nocase; pkt_data; content:"&rnd=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| ",distance 0; content:".style.position = |27|absolute|27 3B|",distance 0; content:".style.border = |27|0|27 3B| ",distance 0; content:".style.height = |27|1px|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:25558; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT JDB Exploit kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>33; http_uri; content:"/jdb/inf.php?id="; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data",within 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{32}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 Exploit Kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole v2 landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch(",within 50; content:"}try{if(",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/news.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Oracle Java Unknown exploit kit java dropped file"; flow:to_client,established; file_data; content:"PK",depth 2; content:"XHbNaqRg.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:25651; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit initial redirection successful"; flow:to_server,established; http_uri; content:"/?java="; pcre:"/\/\?java\=[0-9]{2,4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; http_uri; content:"/Java"; content:".jar?java="; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Whitehole Exploit Kit landing page"; flow:to_client,established; file_data; content:"document.write (|27|<iframe src=http|3A 2F 2F|"; content:".jar?java=98 width=10 height=10><param name=http value="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<html><head><title>Please Wait...</title></head><body><script>function"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt"; flow:to_server,established; http_uri; content:"/js/rdps.js"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious PDF retrieval"; flow:to_server,established; http_uri; content:"/p5.php?t="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V5 exploit download"; flow:to_server,established; http_uri; content:"/j15.php?i="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious payload retrieval"; flow:to_server,established; http_uri; content:"/i8.php?jquery="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit PDF exploit"; flow:to_server,established; http_uri; content:"/world/",depth 7,fast_pattern; content:".pdf",distance 0,nocase; http_header; content:"Referer|3A 20|"; http_uri; pcre:"/\/world\/[^\x2f]*\.pdf/i"; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25857; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit Java exploit download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25858; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet"; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25860; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"arttqa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25861; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"cpnakc.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25862; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25948; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"try{document.body++|3B|}catch(q){"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25952; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<div id=|22|heap_allign|22|></div>|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25953; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit former location - has been removed"; flow:to_client,established; file_data; content:"<b>ERROR 404 CONTENT</b>"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25960; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT g01pack browser check attempt"; flow:to_client,established; file_data; content:"|21 28 2F 28|Firefox|7C|Chrome|7C|Linux|7C|Mac OS|29 2F|.test|28|navigator.userAgent|29 29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:25982; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; http_uri; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch(",within 15; content:"{try{",within 20; content:"}catch(",within 20; content:"=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; http_uri; content:".php?action=stats_access"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; http_uri; content:".php?action=stats_javaon"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; http_uri; content:"/amor",fast_pattern; content:".jar",within 6; http_header; content:" Java/"; http_uri; pcre:"/^\/amor\d{0,2}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"amor.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26037; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jhan.jar?r="; pcre:"/^\/jhan.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jmx.jar?r="; pcre:"/^\/jmx.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Plugin.cpl"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/x4.gif"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; http_uri; content:".php?action=stats_loaded"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Instal.jpg"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; http_uri; content:".php?action=jv&h="; pcre:"/\.php\?action=jv\&h=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; http_uri; content:".php?setup=d&s="; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head></head><body><applet code=|22|hw|22| archive=|22|http|3A|//"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26046; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh|22| content=|22|0|3B|url=http|3A 2F 2F|"; content:"|22|></meta></head></html>",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26047; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx Exploit Kit Landing Page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|",within 25; content:"|22 20|name=|22|",within 25; content:"|22|>|0D 0A|<param name=|22|",within 25; content:"|22 20|value=|22|http|3A 2F 2F|",within 25; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit landing page "; flow:to_client,established; file_data; content:"<applet code=|22|MyApplet.class|22| archive=|22|http|3A 2F 2F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:26091; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{",within 50; content:"}catch(",within 50; content:"|3B|n=|5B|",within 100; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"Foo.classPK"; content:"JPlayer.classPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1723; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26097; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"JHelper.datPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26098; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|",within 100; content:"<script src=|22|",distance 0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{16}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code=|22|MyApplet"; content:"|22|></applet><",distance 0; pcre:"/code\=\x22MyApplet(\.class)?\x22><\/applet/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26228; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool exploit kit MyApplet class retrieval"; flow:to_server,established; http_raw_uri; bufferlen:21; pkt_data; content:"/world/MyApplet.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26229; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|",within 25; content:".class|22|",within 25; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|",distance 0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code="; content:"Applet|22|></applet><",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26254; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit malicious jar download"; flow:to_client,established; file_data; content:"MyApplet$MyBufferedImage.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26256; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 82 ( msg:"EXPLOIT-KIT Sakura Exploit Kit exploit request"; flow:to_server,established; content:"/news/thing.php"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26293; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 50; content:"|22| name=|22|",within 50; content:"<param name=|22|",within 20,distance 5; content:"|22| value=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|",within 25; content:"location.href=",within 250; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(gdsg"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval - ff.php"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/ff.php"; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code=",within 100; content:" archive=",within 100; content:"http|3A 2F 2F|",within 50; content:".jar",distance 0; content:" codebase=",distance 0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt",within 11,distance 1; content:">|3A|)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id",within 6,distance 1; content:"<param name=",distance 0; content:"Play",within 4,distance 1; content:" value=",within 7,distance 1; content:"0",within 1,distance 1; content:"><embed src=",distance 1; content:"http|3A 2F 2F|",within 8,distance 1; content:".swf"; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Application.class",within 17,distance 1; content:">",within 1,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?h="; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".html"; http_header; content:" Java/1",fast_pattern; http_uri; pcre:"/\/\d{2}\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; http_header; content:"filename=setup.exe"; file_data; pkt_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit successful redirection"; flow:to_server,established; http_uri; content:"/count"; content:".php",within 4,distance 2; pcre:"/\/count\d{2}\.php$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Java.class",within 10,distance 1; content:">",within 1,distance 1; content:"<param name=",distance 0; content:"name",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".jar"; http_header; content:" Java/1"; pkt_data; content:"content-type|3A| application/x-java-archive",fast_pattern,fast_pattern_offset 20,fast_pattern_length 20; http_uri; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?i="; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?j="; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; content:"test.classPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit jar file redirection"; flow:to_client,established; file_data; content:"<body><applet archive="; content:"http|3A 2F 2F|",within 8,distance 1; content:".jar",distance 0; content:"code=",distance 0; content:"hw",within 2,distance 1; content:"></applet>",within 10,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26506; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"(window[|22|qgq|22|](new Array("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26507; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.dll"; flow:to_client,established; http_header; content:"filename="; content:"info.dll",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class",distance 0; content:"Bottom11.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit pdf payload detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"evrewrwervwe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26510; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle",within 8,distance 1; content:" src=",within 5,distance 1; content:"http|3A 2F 2F|",within 7,distance 1; content:" height=",within 250; content:"frameborder=0></iframe>",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Big.class"; content:"Big010.class",distance 0; content:"Big011.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26512; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|",distance 0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ",depth 2; isdataat:62,relative; content:"|2F 2A 14 20|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; http_uri; content:"/info/last/index.php"; http_header; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Stamp Exploit Kit portable executable download"; flow:to_server,established; http_uri; content:"/elections.php?"; http_header; content:" Java/1."; http_uri; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value=",distance 0; content:"PD",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Stamp Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet  archive="; content:".jar",within 30,distance 5; content:"  code=",within 30; content:".class",within 30,distance 5; content:" width=",within 30; content:"  height=",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Multiple Exploit kit successful redirection - jnlp bypass"; flow:to_server,established; http_uri; content:"php?jnlp="; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; http_header; content:".com-"; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/i"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26562; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|",depth 100; content:".charCodeAt|28|",distance 0; content:"</script>id=",within 64,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Mutiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:"<applet"; content:"archive=",distance 0; content:" code=",within 25; content:" width=",within 25; content:" height=",within 25; content:"<param",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26804; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short jar request"; flow:to_server,established; http_uri; content:".jar"; http_header; content:" Java/1."; content:"content-type|3A| application/x-java-archive"; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jar$/"; http_header; content:!"cbssports.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26814; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange landing page in.php base64 uri"; flow:to_server,established; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26838; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js",distance 1; content:"AdobeReader",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j161.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j07.php?i="; http_header; content:" Java/1.7"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Plugin detection response"; flow:to_server,established; http_uri; content:"/gate.php?ver="; content:"&p=",distance 0; content:"&j=",distance 0; content:"&f=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit malware download"; flow:to_server,established; http_uri; content:"/load.php?e="; content:"&ip=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=atom.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=site.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0",within 1,distance 1; content:" height=",within 8,distance 1; content:"0",within 1,distance 1; content:" code=",within 6,distance 1; content:"site.avi",within 8,distance 1,nocase; content:" archive=",within 9,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=s"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:26950; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache Exploit Kit Malvertising Campaign URI request"; flow:to_server,established; http_uri; content:"/.cache/?f=",fast_pattern; content:".jar"; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; http_uri; content:".php?exp=byte&b="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; http_uri; content:".php?exp=lib&b="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; http_uri; content:".php?exp=atom&b="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; http_uri; content:".php?exp=rhino&b="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Zuponcic Exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1",within 11,distance 1; content:"scrolling="; content:"no",within 2,distance 1; content:"src=",within 4,distance 2; content:"http|3A 2F 2F|",within 7,distance 1; content:"mt",within 50,distance 10; content:" id=",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26960; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>"; content:"var",within 3,distance 1; content:"document.createElement"; content:"iframe",within 6,distance 2; content:".setAttribute(",distance 0; content:"document.body.appendChild(",distance 0,fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26961; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26962; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; http_uri; content:".php?b="; content:"&v=1.",distance 0; pcre:"/\.php\?b=[A-F0-9]+&v=1\./"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26985; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; http_header; content:"filename="; content:"mp3",within 25; content:"|0D 0A|",within 4; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27005; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|",within 100; content:"{a={plugins|3A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27026; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jorg"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jorg.html"; pcre:"/\/jorg\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jlnp"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jlnp.html"; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jovf"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jovf.html"; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27068; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27069; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{16}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{32}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ff_svg/1.bin"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ie_exec/2.html"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/flash_atf/",fast_pattern; content:".swf",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/jmxbean/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/rhino/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class",distance 0; content:"|00|inc.class",distance 0; content:"|00|fdp.class",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27085; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var ",fast_pattern; content:"document.createElement(",within 80; content:".setAttribute(|22|archive|22|, ",within 65; content:".setAttribute(|22|codebase|22|, ",within 65; content:".setAttribute(|22|id|22|, ",within 65; content:".setAttribute(|22|code|22|, ",within 65; content:"|22|)|3B 0A|document.body.appendChild(",within 65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27086; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|",within 25; content:".value.length|3B|",within 100; content:".value.substr(",distance 0; pcre:"/for\x28(?P<var>\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27106; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27107; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27108; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27109; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27110; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload"; flow:to_client,established; http_header; content:"filename="; content:".exe",within 4,distance 4; pcre:"/filename\=\d{4}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09|    var"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Private Exploit Kit outbound traffic"; flow:to_server,established; http_uri; content:".php?"; http_header; content:"content-type: application/"; content:" Java/1"; http_uri; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/i"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27241; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:27242; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27273; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"/rhino.php?hash="; http_header; content:"content-type"; content:"java-archive"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27274; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27592; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows afd.sys kernel-mode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 45 FC 50 6A|"; byte_test:1,>,24,0,relative; content:"|8D 8D A0 FD FF FF 51 68 BB 20 01 00 8B 55 F8 52 FF 15 18|"; content:"|40 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-080; classtype:attempted-admin; sid:20270; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ",depth 2; content:"JFIF",depth 4,offset 6; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1433; classtype:attempted-user; sid:23312; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ|2D 6C 68|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1436; classtype:attempted-user; sid:23309; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0151; classtype:attempted-user; sid:25357; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0151; classtype:attempted-user; sid:25779; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0707; classtype:attempted-user; sid:26070; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0707; classtype:attempted-user; sid:26071; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26601; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malformed getPropertyLate actioncode attempt"; flow:to_client,established; file_data; content:",|BD 06|J|C6 01 01 80 C6 01 D6 D1 D2|O|97 06 01 D1|`|81 04|g|9D 08|f|9E 08|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3797; classtype:attempted-user; sid:16316; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; file_data; content:"|A3 96 56 6C 5B B4 87 59 19 DB B6 A1 6B D8 B5 53 46 59 A7 6B 69 27 43 3C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21535; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RawDataFrom(new Vector.<Number>(), 0x41414141"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21534; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Stage3D null dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7D B3 D7 78 DB 3A 2A 4D 86 B6 13 34 B8 B5 57 1E 30 E6 35 54 75 3C 1E 57|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21533; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript ASnative function remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative|00|"; content:"|96 16 00 07 03 00 00 00 07 2E 01 00 00 07 3A 08 00 00 07 02 00 00 00 08 02|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0559; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18420; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|flash.geom|06|Matrix|0B|setMaterial"; content:"|05|Point",distance 0; content:"|12|generateFilterRect|0B|applyFilter",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0578; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18503; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player content parsing execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ROPPayload|08|strToInt|09|shellcode"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44503; reference:cve,2010-3654; classtype:attempted-user; sid:18992; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|",distance 0; content:"JFIF",distance 0; content:"|FF C0|",within 256; pcre:"/^...(..)?[\x80-\xff]/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|8C 15|",within 2,distance 40; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"|19 13|",within 2,distance 383; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|",within 6,distance 900; content:"?|13 1F 00 00 00|",within 6,distance 640; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|",within 6,distance 45; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"?|13 19 00 00 00|",within 6,distance 383; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"heapspray"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; classtype:attempted-user; sid:23856; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"heapspray"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:23855; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X500 DistinguishedName property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6B 3E 35 2F D7 02 D4 F0 88 41 EB 67 C7 D7 4F A8 56 8C D8 A7 C4 A5 AE AD E9 15 CF AE F7 E0 74 47|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23131; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X509 direct instantiation property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F 65 54 07 41 6C AD 12 37 3E 1A 37 A0 D9 F7 60 1F 29 07 AF FD D8 AD ED D7 08 31 52 76 8A 43 A8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23130; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SecureSocket use without Connect attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3A 58 E6 FB 74 80 30 B8 BF 2C 54 5B F9 4D C8 B2 AB BA 3D 56 1C 6C F7 3D 9D D6 34 A0 52 7E F2 6A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23129; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|E2 41 76 26 4F 70 65 72 61 74 65 64 20 62 79 20 44 6F 53 57 46|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22916; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|74 F2 37 35 34 31 32 32 37 8C 4C 8C A3 B1 E3 E8 F0 22 70 3A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22915; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|FF 0F AA 70 2A B7 17 2A C1 3B 77 35 50 B9 6B 07 17 16 1D 92|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22070; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|11 B3 38 36 87 2D C0 BB 20 72 7C 49 54 35 83 87 FA C3 48 10|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22069; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; file_data; content:"|FB 1A BD E9 6B F4 AE 37 BD 71 2F FA 02 BD EA 6D 5F A0 F4 8C 9D 06 A8 7A 55 CB F6 CC 39 E7 3B DF 9C 3F 7B 8A A4 DF 11 2A FE 88 50 1D A3 CE C2 32 42 E8 BB CA 2F 18 A1 DD D0 1E EC BC EE 1C 36 A6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21654; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player MP4 zero length atom attempt"; flow:to_client,established; file_data; content:"|4E 65 74 53 74 72 65 61 6D 09 72 65 70 72 6F 2E 6D 70 34 04 70 6C 61 79 0E 61 64 64 46 72 61 6D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21338; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20785; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_server,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20784; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"dear chu.doc",within 12,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20783; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"Economy.doc",within 11,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20782; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20781; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_client,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20780; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"dear chu.doc",within 12,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20779; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"Economy.doc",within 11,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20778; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript apply function memory corruption attempt"; flow:to_client,established; file_data; content:"|43 57 53 0A 2C 91 00 00 78 9C CD BD 77 60 54 D5 D6 3E 7C F6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0558; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18418; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 08 1C 99 02 00 C4 FE 96 05 00 07 0C F5 4E 15 4C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20131; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|",within 16,distance 336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|",within 16,distance 288; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19071; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_client,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|",within 16,distance 94; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:19408; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|",within 16,distance 320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|",within 16,distance 320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19080; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash authplay.dll memory corruption attempt"; flow:to_client,established; file_data; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|",distance 0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3654; reference:url,www.adobe.com/support/security/advisories/apsa10-05.html; classtype:attempted-user; sid:17808; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:17658; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ASnative command execution attempt"; flow:to_client, established; file_data; content:"|43 57 53 07 C5 01 00 00 78 DA 74 50 B1 4E C3 30 14 BC 38 A1 71 11 2A 52 55 29 0C FD 81 2E 2C B0 A2 B6 54 42 62 68 1A B5 1D BA 45 A6 44 25 22 89 A3 C4 20 F8 02 3A 75 8C D4 81 FF E1 9B 58 CA B3 9D 15 0F A7 77 E7 F7 CE E7 F7 01 FC 02 6C 03 0C 1C CC D8 89 4E B7 03 3A 91 43 30 EE 0D 08 A9 8A E2 38 12 DB 57 B1 4B EA EB F5 9B 92 38 F5 6E 74 43 B4 DF E0 1C 46 89 77 99 7C 12 19 44 5A 89 B2 4C 8B 5A 89 2C 4B 2A 4C 57 85 50 E9 7B 82 B8 92 52 61 2B F3 5C 14 CF 28 2B A9 A4 FA 2C 13 E4 22 2D 40 23 D4 B9 4A 54 54 C9 F2 21 13 BB 1A 0D 03 C7 B0 DF FF 66 F8 31 C4 19 1A E9 C0 75 3E 36 82 40 73 05 CE 7C 1D C4 C2 91 AE 7C 46 55 DB EB 2E 1B 07 EE 52 5B DC 1A 0B CF C8 67 A1 1D D4 9D 16 FE 19 0C BE C8 76 D1 78 F0 C0 3B 21 11 27 B0 C4 3F 5C E8 BD B8 23 B0 7C 8B 41 9B B5 E9 82 73 5F A7 E3 98 2C 16 CD A5 8D C5 3C C7 77 B5 D8 BD 0B 30 76 EF A9 DC 0F C9 65 BE 9E AE 66 F1 7C FA 18 42 BD A4 B5 5D A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:17606; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player and Reader remote code execution attempt"; flow:to_client,established; file_data; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|",depth 160,offset 144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|",within 16,distance 352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|",within 16,distance 240; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2884; reference:url,www.adobe.com/support/security/advisories/apsa10-03.html; classtype:attempted-user; sid:17257; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; file_data; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|",depth 64; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Flash ActionScript getURL target null reference attempt"; flow:to_server,established; http_uri; content:".swf?",nocase; content:"&TARGET=",within 20,nocase; pcre:"/\x26TARGET\x3d\x5f(blank|parent|top)/si"; content:"&REDIR=javascript",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:cve,2012-0772; reference:url,adobe.com/support/security/bulletins/apsb12-07.html; classtype:denial-of-service; sid:21653; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_client,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16634; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Speex-encoded audio buffer underflow attempt"; flow:to_client,established; file_data; content:"|A9 FC EB C4 44 EA 39 DC C2 E6 7A 38 85 81 71 46 3B 43 B6 E8 69 30 D5 77 47 47 A1 DE 99 B6 32 A2 7B D4 DA AD 90 AF 76 EB F4 B0 8D 3F F2 66 C5 06 3B 18 ED 9C 13 2E 42 BB 18 50 C2 ED D2 AE 33 B2|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2130; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20181; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 buffer overflow attempt"; flow:to_client,established; file_data; content:"|E9 3F 00 00 00 00 00 00 D0 3F 33 33 33 33 33 33 E3 3F 7B 14 AE 47 E1 7A A4 3F 66 66 66 66 66 66 F6 3F 9A 99 99 99 99 99 B9 3F EB 09 00 07 42 6F 6F 6C 65 61 6E 04 76 6F 69 64 03 69 6E 74 0B 66|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2415; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19683; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19682; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempet"; flow:to_client,established; file_data; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi"; content:"|99 08|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32896; reference:cve,2008-5499; classtype:attempted-user; sid:15869; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"FLV|01|",depth 4; content:"|17|",within 1,distance 9; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21655; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_client,established; file_data; content:"|04 01 08 32 4E 96 04 00 04 01 08 2D 4E 4E 96 09 00 03 49 12 9D 02 00 09 00 96 04 00 04 01 08 08 4E 3E 96 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0209; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17142; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player undefined tag exploit attempt"; flow:to_client,established; file_data; content:"|46 57 53 0A 9A 04 00 00 78 00 03 E8 00 00 0F A0 00 00 E8 01 00 44 11 08 00 00 00 3F 12 69 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2214; classtype:attempted-user; sid:18805; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash invalid data precision arbitrary code execution exploit attempt"; flow:to_client,established; file_data; content:"|0C 0C FF C0 00 11 88 00 96 00 71 03 01 11 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2216; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17141; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_server,established; file_data; content:"FWS"; content:"</rdf:RDF>",distance 0; content:"kern",within 500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23854; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; content:"</rdf:RDF>",distance 0; content:"kern",within 500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23853; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_server,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|",within 16,distance 94; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:23592; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_server,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23579; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23265; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23264; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH embedded Shockwave dropper download"; flow:to_client,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18543; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH embedded Shockwave dropper in email attachment"; flow:to_server,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18544; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1E 3E 95 0F 29 8B 36 33 45 A4 1C F6 43 97 12 71 58 FF 44|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:24142; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; reference:url,www.securityfocus.com/archive/1/524143/30/0/threaded; classtype:attempted-user; sid:24244; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; reference:url,www.securityfocus.com/archive/1/524143/30/0/threaded; classtype:attempted-user; sid:24245; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; isdataat:!624; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24362; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; isdataat:!624; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24364; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24366; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24367; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|92|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24428; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|92|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24429; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|94|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24430; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|94|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24431; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe OpenAction crafted URI action thru Firefox attempt"; flow:to_client,established; file_data; content:"|2F|OpenAction|20 3C 3C|"; pcre:"/[^\x3e]{0,300}\x2fURI \x28data/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18447; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24810; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24811; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24812; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24813; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24875; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24876; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24877; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_client, established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|",within 1,distance 4; metadata:policy balanced-ips drop; service:http, imap, pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24890; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_server, established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|",within 1,distance 4; metadata:policy balanced-ips drop; service:smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24893; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24895; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24896; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS",depth 3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24980; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS",depth 3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24981; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24982; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24983; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24985; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24986; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5678; classtype:attempted-user; sid:24989; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5678; classtype:attempted-user; sid:24990; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24991; rev:1; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24992; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Shockwave Flash Flex authoring tool XSS exploit attempt"; flow:to_server,established; http_uri; content:"/EncDecUtils.swf|3F|",fast_pattern; content:"resourceModuleURLs=",nocase; content:"http",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-2461; reference:url,www.adobe.com/support/security/bulletins/apsb11-25.html; classtype:attempted-admin; sid:20610; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25676; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25677; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25678; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25679; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|",within 4,distance -10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|",within 2; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25681; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|",within 4,distance -10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|",within 2; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25683; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|",depth 16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|",within 16,distance 560; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25815; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_server,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|",depth 16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|",within 16,distance 560; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25816; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:25835; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|",distance 0; content:"swLiveConnect=true",distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26000; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|",distance 0; content:"swLiveConnect=true",distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26001; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26002; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26003; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26004; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26005; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26006; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26007; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_client,established; file_data; content:"www.mypagex.com/fileshare/questions/"; content:"explorer.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26008; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_server,established; file_data; content:"www.mypagex.com/fileshare/questions/"; content:"explorer.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26009; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|",within 16,distance 336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|",within 16,distance 288; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26110; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|",within 16,distance 320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26111; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|",within 16,distance 320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26112; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF malformed HTML text null dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26687; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF malformed HTML text null dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26688; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF remote memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26982; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF remote memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26983; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27182; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27183; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27184; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27185; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27186; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27187; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27265; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe SWF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27266; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27267; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27268; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 B3|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20450; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 BA|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20451; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_client,established; file_data; content:".RMF",depth 4; flowbits:set,file.realplayer; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20456; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_client,established; file_data; content:"GIF8",depth 4,fast_pattern; content:"a",within 1,distance 1; flowbits:set,file.gif; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20459; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"ID3",depth 3; flowbits:set,file.mp3; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20460; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; flowbits:set,file.ogg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20462; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20463; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20464; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20465; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20466; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20467; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20468; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20469; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_client,established; file_data; content:"RIFX",depth 4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20471; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; flowbits:set,file.elf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20477; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20478; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"|FF FB 90|",depth 3; flowbits:set,file.mp3; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20481; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20483; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24455; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24456; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; flowbits:set,file.rtf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20486; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_client,established; file_data; content:"|CA FE BA BE|",depth 4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20492; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_client,established; file_data; content:"|CA FE D0 0D|",depth 4; flowbits:set,file.class; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20493; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20494; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"CWS",depth 3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20495; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FWS",depth 3; byte_test:1,<,20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|",within 4,distance 1; flowbits:set,file.swf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20496; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20497; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moov",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20500; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"ftyp",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20501; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mdat",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20502; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"free",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20503; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"XFIR",depth 4; flowbits:set,file.swf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20507; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_client,established; file_data; content:"ER|02 00|",depth 4; flowbits:set,file.dmg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20514; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY rmf file download request"; flow:to_server,established; http_uri; content:".rmf",nocase; pcre:"/\x2Ermf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; service:http; classtype:misc-activity; sid:20518; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_client,established; file_data; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,file.xls; flowbits:noalert; service:http; service:imap, pop3; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:12283; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|",depth 16; flowbits:set,file.asf; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:12454; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Works file download request"; flow:to_server,established; http_uri; content:".wps"; pcre:"/\x2ewps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.works; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_works; classtype:misc-activity; sid:13465; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Publisher file download request"; flow:to_server,established; http_uri; content:".pub"; pcre:"/\x2epub([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pub; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; classtype:misc-activity; sid:13473; rev:16; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_client,established; file_data; content:"ID|3B|P",depth 4,nocase; content:"|0A|",within 3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|",within 4; flowbits:set,file.slk; flowbits:noalert; service:http; service:imap, pop3; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13585; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; http_uri; content:".rtf"; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rtf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:16; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY EPS file download request"; flow:to_server,established; http_uri; content:".eps"; pcre:"/\x2eeps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eps; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Encapsulated_PostScript; classtype:misc-activity; sid:13983; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; http_uri; content:".pdf"; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pdf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY WAV file download request"; flow:to_server,established; http_uri; content:".wav"; pcre:"/\x2ewav([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wav; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Wav; classtype:misc-activity; sid:15079; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file download request"; flow:to_server,established; http_uri; content:".xspf"; pcre:"/\x2exspf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xspf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Xspf; classtype:misc-activity; sid:15158; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Java .class file download request"; flow:to_server,established; http_uri; content:".class"; pcre:"/\x2eclass([\?\x5c\x2f]|$)/smi"; flowbits:set,file.class; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Java_class_file; classtype:misc-activity; sid:15237; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rm"; pcre:"/\x2erm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15239; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rv"; pcre:"/\x2erv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15240; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Visio file download request"; flow:to_server,established; http_uri; content:".vsd"; pcre:"/\x2evsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visio; flowbits:noalert; service:http; classtype:misc-activity; sid:15294; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file download request"; flow:to_server,established; http_uri; content:".ppt"; pcre:"/\x2eppt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ppt; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_PowerPoint; classtype:misc-activity; sid:15586; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".doc"; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:15; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft multimedia format file download request"; flow:to_server,established; http_uri; content:".wma"; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wma&file.asx; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Windows_Media_Audio; classtype:misc-activity; sid:15921; rev:15; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp3; classtype:misc-activity; sid:15922; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY DXF file download request"; flow:to_server,established; http_uri; content:".dxf"; pcre:"/\x2edxf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dxf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Dxf; classtype:misc-activity; sid:15987; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY X PixMap file download request"; flow:to_server,established; http_uri; content:".xpm"; pcre:"/\x2expm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xpm; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/X_PixMap; classtype:misc-activity; sid:16061; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_client,established; file_data; content:"0&|B2|u",depth 4; flowbits:set,file.asf; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:16143; rev:17; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TrueType font file download request"; flow:to_server,established; http_uri; content:".ttf"; pcre:"/\x2ettf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:16286; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpg"; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpeg"; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker project file download request"; flow:to_server,established; http_uri; content:".mswmm"; pcre:"/\x2emswmm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mswmm; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Windows_Movie_Maker; classtype:misc-activity; sid:16473; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.oless.v3; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:16474; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".pjpeg"; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media ASX file download request"; flow:to_server,established; http_uri; content:".asx"; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Advanced_Stream_Redirector; classtype:misc-activity; sid:17116; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_client,established; file_data; content:"II|2A 00|",depth 4; flowbits:set,file.tiff.little; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17229; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_client,established; file_data; content:"MM|00 2A|",depth 4; flowbits:set,file.tiff.big; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17230; rev:17; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media wmv file download request"; flow:to_server,established; http_uri; content:".wmv"; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmv; flowbits:set,file.asf; flowbits:noalert; service:http; classtype:misc-activity; sid:17241; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:17314; rev:15; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; http_uri; content:".png"; pcre:"/\x2epng([\?\x5c\x2f]|$)/smi"; flowbits:set,file.png; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:17380; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY GIF file download request"; flow:to_server,established; http_uri; content:".gif"; pcre:"/\x2egif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.gif; flowbits:noalert; service:http; classtype:misc-activity; sid:17394; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY LNK file download request"; flow:to_server,established; http_uri; content:".lnk"; pcre:"/\x2elnk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.lnk; flowbits:noalert; service:http; classtype:misc-activity; sid:17441; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; http_uri; content:".xml"; pcre:"/\x2exml([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; service:http; classtype:misc-activity; sid:17733; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OpenType Font file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.otf; flowbits:noalert; service:http; classtype:misc-activity; sid:17751; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pct",nocase; pcre:"/\x2epct([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; service:http; classtype:misc-activity; sid:18234; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".wri"; pcre:"/\x2ewri([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:noalert; service:http; classtype:misc-activity; sid:18516; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY BitTorrent torrent file download request"; flow:to_server,established; http_uri; content:".torrent"; pcre:"/\x2etorrent([\?\x5c\x2f]|$)/smi"; flowbits:set,file.torrent; flowbits:noalert; service:http; classtype:misc-activity; sid:18593; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cpe"; pcre:"/\x2ecpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; service:http; classtype:misc-activity; sid:18675; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|",depth 4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; flowbits:set,file.xls; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:19166; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; http_uri; content:".zip"; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; service:http; classtype:misc-activity; sid:19211; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cov"; pcre:"/\x2ecov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; service:http; classtype:misc-activity; sid:19218; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; http_uri; content:".smi"; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; service:http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; reference:url,osvdb.org/show/osvdb/74604; classtype:misc-activity; sid:20223; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_client,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; service:http; service:imap, pop3; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:8478; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file download request"; flow:to_server,established; http_uri; content:".slk"; pcre:"/\x2eslk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.slk; flowbits:noalert; service:http; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13583; rev:18; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Embedded Open Type Font file download request"; flow:to_server,established; http_uri; content:".eot"; pcre:"/\x2eeot([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eot; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:15518; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XBM image file download request"; flow:to_server,established; http_uri; content:".xbm"; pcre:"/\x2exbm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xbm; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:17359; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".dmg"; pcre:"/\x2edmg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:17679; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY FlashPix file download request"; flow:to_server, established; http_uri; content:".fpx"; pcre:"/\x2efpx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.fpx; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Fpx; classtype:misc-activity; sid:17739; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe .pfb file download request"; flow:to_server, established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; service:http; reference:cve,2008-1806; reference:cve,2008-1807; reference:url,en.wikipedia.org/wiki/Printer_Font_Binary#Printer_Font_Binary; classtype:misc-activity; sid:16552; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows .NET Manifest file download request"; flow:to_server,established; http_uri; content:".manifest"; pcre:"/\x2emanifest([\?\x5c\x2f]|$)/smi"; flowbits:set,file.manifest; flowbits:noalert; service:http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17509; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Basic script file download request"; flow:to_server,established; http_uri; content:".vbs"; pcre:"/\x2evbs([\?\x5c\x2f]|$)/smi"; service:http; reference:url,en.wikipedia.org/wiki/Vbs; classtype:misc-activity; sid:18758; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_client,established; file_data; content:".rec|00|",depth 5; flowbits:set,file.realplayer; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19128; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_client,established; file_data; content:".r1m",depth 4; flowbits:set,file.realplayer; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19129; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Cisco Webex wrf file download request"; flow:to_server,established; http_uri; content:".wrf"; pcre:"/\x2ewrf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wrf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Webex; classtype:misc-activity; sid:19224; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY language.engtesselate.ln file download request"; flow:to_server,established; http_uri; content:"language.engtesselate.ln"; flowbits:set,file.engtesselate; flowbits:noalert; service:http; classtype:misc-activity; sid:19252; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; http_uri; content:".ra"; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:21; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; http_uri; content:".rmp"; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:20; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; http_uri; content:".rt"; pcre:"/\x2ert([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:22; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; http_uri; content:".rp"; pcre:"/\x2erp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:21; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Address Book file magic detected"; flow:to_client,established; file_data; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:policy security-ips drop; service:http, imap, pop3; reference:cve,2006-2386; reference:url,en.wikipedia.org/wiki/Windows_Address_Book; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:9639; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMIL file download request"; flow:to_server,established; http_uri; content:".smil"; pcre:"/\x2esmil([\?\x5c\x2f]|$)/smi"; flowbits:set,file.smil; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:17547; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime qt file download request"; flow:to_server,established; http_uri; content:".qt"; pcre:"/\x2eqt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17809; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file download request"; flow:to_server,established; http_uri; content:".m3u"; pcre:"/\x2em3u([\?\x5c\x2f]|$)/smi"; flowbits:set,file.m3u; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:14017; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PLS multimedia playlist file download request"; flow:to_server,established; http_uri; content:".pls"; pcre:"/\x2epls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pls; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.pls; classtype:misc-activity; sid:14018; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xls"; pcre:"/\x2exls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:16; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xlw"; pcre:"/\x2exlw([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15464; rev:18; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".swf"; pcre:"/\x2eswf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:15483; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AVI multimedia file download request"; flow:to_server,established; http_uri; content:".avi"; pcre:"/\x2eavi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.avi; classtype:misc-activity; sid:15516; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP4 file download request"; flow:to_server,established; http_uri; content:".mp4"; pcre:"/\x2emp4([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.mp4; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:15865; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 4XM file download request"; flow:to_server,established; http_uri; content:".4xm"; pcre:"/\x2e4xm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.4xm; flowbits:noalert; service:http; reference:url,wiki.multimedia.cx/index.php?title=4xm_Format; classtype:misc-activity; sid:15870; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MOV file download request"; flow:to_server,established; http_uri; content:".mov"; pcre:"/\x2emov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17259; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Pagemaker file download request"; flow:to_server,established; http_uri; content:".pmd"; pcre:"/\x2epmd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pmd; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.pmd; classtype:misc-activity; sid:17552; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TIFF file download request"; flow:to_server,established; http_uri; content:".tif"; pcre:"/\x2etif(f)?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.tiff; classtype:misc-activity; sid:17732; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Studio DISCO file download request"; flow:to_server,established; http_uri; content:".disco"; pcre:"/\x2edisco([\?\x5c\x2f]|$)/smi"; service:http; reference:url,msdn.microsoft.com/en-us/library/8k0zafxb(v=vs.80).aspx; classtype:misc-activity; sid:19233; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_client,established; file_data; content:"|23|EXTM3U",depth 7; flowbits:set,file.m3u; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:9845; rev:15; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CHM file download request"; flow:to_server,established; http_uri; content:".chm"; pcre:"/\x2echm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.chm; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help; classtype:misc-activity; sid:3819; rev:17; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; http_uri; content:".wmf"; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:22; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QCP file download request"; flow:to_server,established; http_uri; content:".qcp"; pcre:"/\x2eqcp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.qcp; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.qcp; classtype:misc-activity; sid:20287; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_client,established; file_data; content:"Shockwave 3D"; content:"XFIR",depth 4; flowbits:set,file.dir; flowbits:noalert; service:http; service:imap, pop3; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:17801; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dcr"; pcre:"/\x2edcr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; service:http; reference:url,www.fileinfo.com/extension/dcr; classtype:misc-activity; sid:17802; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XUL file download request"; flow:to_server,established; http_uri; content:".xul"; pcre:"/\x2exul([\?\x5c\x2f]|$)/msi"; flowbits:set,file.xul; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.xul; classtype:misc-activity; sid:17600; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; http_uri; content:".exe"; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.exe; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:15; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dir"; pcre:"/\x2edir([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; service:http; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:16219; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|",within 4,distance 1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:12182; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_client,established; file_data; content:"PICT",depth 4; flowbits:set,file.pct; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:19907; rev:9; )
 alert tcp $EXTERNAL_NET 554 -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media Player playlist download"; flow:to_client,established; content:"WMS_CONTENT_DESCRIPTION_PLAYLIST_ENTRY_START_OFFSET"; flowbits:set,file.wmp_playlist; flowbits:noalert; classtype:misc-activity; sid:14264; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Flash Player FLV file download request"; flow:to_server,established; http_uri; content:".flv"; pcre:"/\x2eflv([\?\x5c\x2f]|$)/msi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:20544; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CDR file download request"; flow:to_server,established; http_uri; content:".cdr"; pcre:"/\x2ecdr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cdr; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20588; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4,fast_pattern; content:"CDR",within 3,distance 4; flowbits:set,file.cdr; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20589; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; http_uri; content:".jar"; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jar; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20621; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Media Player asf/wmv/wma file magic detected"; flow:to_client,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE 4C F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|",within 16,distance 8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:12972; rev:13; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_client,established; content:".xls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exls[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20792; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_server,established; content:".xls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exls[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20793; rev:8; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_client,established; content:".doc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edoc[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20795; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_server,established; content:".doc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edoc[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20796; rev:7; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".swf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eswf[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20798; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".swf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eswf[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20799; rev:8; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_client,established; content:".vsd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evsd[\x22\x27\s]/si"; flowbits:set,file.visio; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20854; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_server,established; content:".vsd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evsd[\x22\x27\s]/si"; flowbits:set,file.visio; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20855; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Video Spirit visprj download attempt"; flow:to_server,established; http_uri; content:".visprj",nocase; pcre:"/\x2evisprj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visprj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20888; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_client,established; content:".visprj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evisprj[\x22\x27\s]/si"; flowbits:set,file.visprj; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20893; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_server,established; content:".visprj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evisprj[\x22\x27\s]/si"; flowbits:set,file.visprj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20894; rev:7; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_client,established; content:".xpm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2expm[\x22\x27\s]/si"; flowbits:set,file.xpm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20905; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_server,established; content:".xpm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2expm[\x22\x27\s]/si"; flowbits:set,file.xpm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20906; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_client,established; content:".dxf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edxf[\x22\x27\s]/si"; flowbits:set,file.dxf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20907; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_server,established; content:".dxf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edxf[\x22\x27\s]/si"; flowbits:set,file.dxf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20908; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_client,established; content:".asf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easf[\x22\x27\s]/si"; flowbits:set,file.asf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20909; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_server,established; content:".asf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easf[\x22\x27\s]/si"; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20910; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_client,established; content:".eps"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeps[\x22\x27\s]/si"; flowbits:set,file.eps; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20911; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_server,established; content:".eps"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeps[\x22\x27\s]/si"; flowbits:set,file.eps; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20912; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_client,established; content:".xspf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exspf[\x22\x27\s]/si"; flowbits:set,file.xspf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20913; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_server,established; content:".xspf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exspf[\x22\x27\s]/si"; flowbits:set,file.xspf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20914; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_client,established; file_data; content:"[playlist]",depth 11; flowbits:set,file.pls; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20924; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_client,established; content:".pmd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epmd[\x22\x27\s]/si"; flowbits:set,file.pmd; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20925; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_server,established; content:".pmd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epmd[\x22\x27\s]/si"; flowbits:set,file.pmd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20926; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"<smil>",depth 6; flowbits:set,file.smil; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:20928; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_client,established; content:".qcp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eqcp[\x22\x27\s]/si"; flowbits:set,file.qcp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20935; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_server,established; content:".qcp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eqcp[\x22\x27\s]/si"; flowbits:set,file.qcp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20936; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4v"; pcre:"/\x2ef4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20937; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4p"; pcre:"/\x2ef4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20938; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4a"; pcre:"/\x2ef4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20939; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4b"; pcre:"/\x2ef4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20940; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4v"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4v[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20941; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4v"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4v[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20942; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4p"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4p[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20943; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4p"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4p[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20944; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4a"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4a[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20945; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4a"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4a[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20946; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4b"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4b[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20947; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4b"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4b[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20948; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moof",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20950; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mfra",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20951; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"skip",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20952; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"junk",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20953; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"wide",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20954; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pnot",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20955; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pict",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20956; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meta",depth 4,offset 4; content:"hdlr",distance 0; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20957; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meco",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20958; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"uuid",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20959; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TTE file download request"; flow:to_server,established; http_uri; content:".tte"; pcre:"/\x2ette([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20961; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OTF file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20962; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; http_uri; content:".sami"; pcre:"/\x2esami([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpe"; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jif"; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jfi"; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".img"; pcre:"/\x2eimg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:20968; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4A file download request"; flow:to_server,established; http_uri; content:".m4a"; pcre:"/\x2em4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20969; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4P file download request"; flow:to_server,established; http_uri; content:".m4p"; pcre:"/\x2em4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20970; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4R file download request"; flow:to_server,established; http_uri; content:".m4r"; pcre:"/\x2em4r([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20971; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4V file magic request"; flow:to_server,established; http_uri; content:".m4v"; pcre:"/\x2em4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.m4v; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20972; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4B file download request"; flow:to_server,established; http_uri; content:".m4b"; pcre:"/\x2em4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20973; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3GP file download request"; flow:to_server,established; http_uri; content:".3gp"; pcre:"/\x2e3gp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20974; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3G2 file download request"; flow:to_server,established; http_uri; content:".3g2"; pcre:"/\x2e3g2([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20975; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY K3G file download request"; flow:to_server,established; http_uri; content:".k3g"; pcre:"/\x2ek3g([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20976; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SKM file download request"; flow:to_server,established; http_uri; content:".skm"; pcre:"/\x2eskm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20977; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_client,established; content:".tte"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ette[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20978; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_server,established; content:".tte"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ette[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20979; rev:7; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20980; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_server,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20981; rev:7; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_client,established; content:".ppt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eppt[\x22\x27\s]/si"; flowbits:set,file.ppt; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20982; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_server,established; content:".ppt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eppt[\x22\x27\s]/si"; flowbits:set,file.ppt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20983; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|"; content:"cmap",distance 0,fast_pattern; flowbits:set,file.ttf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20991; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_client,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20992; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_client,established; file_data; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t"; flowbits:isset,file.ppt; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21011; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_client; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; flowbits:set,file.visio; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmd",nocase; pcre:"/\x2ewmd([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:policy-violation; sid:17546; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epdf[\x22\x27\s]/si"; flowbits:set,file.pdf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21035; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epdf[\x22\x27\s]/si"; flowbits:set,file.pdf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21036; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI LIST",within 8,distance 4; flowbits:set,file.avi.video; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21059; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21061; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21062; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG video stream file download request"; flow:to_server,established; http_uri; content:".mpeg"; pcre:"/\x2empeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21109; rev:6; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_client,established; content:".mpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2empeg[\x22\x27\s]/si"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21110; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_server,established; content:".mpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2empeg[\x22\x27\s]/si"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21111; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_client,established; file_data; content:"|57 4F 54 46|"; flowbits:set,file.wrf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21113; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY New Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ",depth 2; byte_jump:4,58,relative,little; content:"NE",within 2,distance -64; metadata:service http,service imap,service pop3; reference:url,support.microsoft.com/kb/65122; classtype:misc-activity; sid:21244; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; http_uri; content:".xsl"; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21282; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exsl[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21283; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exsl[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21284; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; http_uri; content:".xslt"; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21285; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exslt[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21286; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exslt[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21287; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,fast_pattern,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21288; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; http_uri; content:".paq8o"; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21410; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epaq8o[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21411; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epaq8o[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21412; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ITSP",within 112; flowbits:set,file.chm; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:3820; rev:17; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_client,established; content:".chm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2echm[\x22\x27\s]/si"; flowbits:set,file.chm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21478; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_server,established; content:".chm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2echm[\x22\x27\s]/si"; flowbits:set,file.chm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21479; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21480; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21498; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exml[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21499; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exml[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21500; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmz",nocase; pcre:"/\x2ewmz([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:misc-activity; sid:12278; rev:10; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epng[\x22\x27\s]/si"; flowbits:set,file.png; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21613; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epng[\x22\x27\s]/si"; flowbits:set,file.png; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21614; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_client,established; content:".wmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewmf[\x22\x27\s]/si"; flowbits:set,file.wmf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21615; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_server,established; content:".wmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewmf[\x22\x27\s]/si"; flowbits:set,file.wmf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21616; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"WAVE",within 4,distance 4; flowbits:set,file.wav; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21620; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI ",within 4,distance 4; flowbits:set,file.avi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21621; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pct",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epct[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21648; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pct",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epct[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21649; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pict"; pcre:"/\x2epict([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21650; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pict",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epict[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21651; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pict",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epict[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21652; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_client,established; content:".pls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epls[\x22\x27\s]/si"; flowbits:set,file.pls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21687; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_server,established; content:".pls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epls[\x22\x27\s]/si"; flowbits:set,file.pls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21688; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_client,established; content:".smil"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmil[\x22\x27\s]/si"; flowbits:set,file.smil; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21691; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_server,established; content:".smil"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmil[\x22\x27\s]/si"; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21692; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmi[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21695; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmi[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21696; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esami[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21697; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esami[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21698; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_client,established; content:".xlw"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exlw[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21699; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_server,established; content:".xlw"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exlw[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21700; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_client,established; content:".fpx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2efpx[\x22\x27\s]/si"; flowbits:set,file.fpx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21701; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_server,established; content:".fpx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2efpx[\x22\x27\s]/si"; flowbits:set,file.fpx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21702; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_client,established; content:".4xm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2e4xm[\x22\x27\s]/si"; flowbits:set,file.4xm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21703; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_server,established; content:".4xm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2e4xm[\x22\x27\s]/si"; flowbits:set,file.4xm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21704; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; content:".torrent"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2etorrent[\x22\x27\s]/si"; flowbits:set,file.torrent; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21705; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_server,established; content:".torrent"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2etorrent[\x22\x27\s]/si"; flowbits:set,file.torrent; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21706; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFA file download request"; flow:to_server,established; http_uri; content:".pfa"; pcre:"/\x2epfa([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21711; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_client,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21712; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_client,established; content:".pfa"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfa[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21713; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_server,established; content:".pfa"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfa[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21714; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFB file download request"; flow:to_server,established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21715; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_client,established; content:".pfb"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfb[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21716; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_server,established; content:".pfb"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfb[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21717; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFM file download request"; flow:to_server,established; http_uri; content:".pfm"; pcre:"/\x2epfm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21718; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_client,established; content:".pfm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21719; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_server,established; content:".pfm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21720; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AFM file download request"; flow:to_server,established; http_uri; content:".afm"; pcre:"/\x2eafm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21721; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_client,established; content:".afm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eafm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21722; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_server,established; content:".afm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eafm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21723; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; http_uri; content:".ani"; pcre:"/\x2eani([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ani; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21724; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eani[\x22\x27\s]/si"; flowbits:set,file.ani; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21725; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eani[\x22\x27\s]/si"; flowbits:set,file.ani; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21726; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; flowbits:set,file.ani; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21727; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21728; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21729; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21730; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21731; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epjpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21732; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epjpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21733; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpe[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21734; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpe[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21735; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejif[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21736; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejif[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21737; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejfif?[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21738; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejfif?[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21739; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21740; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21741; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_client,established; content:".eot"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeot[\x22\x27\s]/si"; flowbits:set,file.eot; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21742; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_server,established; content:".eot"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeot[\x22\x27\s]/si"; flowbits:set,file.eot; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21743; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21744; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21745; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ertf[\x22\x27\s]/si"; flowbits:set,file.rtf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21746; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ertf[\x22\x27\s]/si"; flowbits:set,file.rtf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21747; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY HPJ file download request"; flow:to_server,established; http_uri; content:".hpj"; pcre:"/\x2ehpj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.hpj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21748; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_client,established; content:".hpj"; content:"Content-Disposition: attachment|3b|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ehpj[\x22\x27\s]/si"; flowbits:set,file.hpj; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21749; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_server,established; content:".hpj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ehpj[\x22\x27\s]/si"; flowbits:set,file.hpj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21750; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_client,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21751; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_client,established; content:".lnk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2elnk[\x22\x27\s]/si"; flowbits:set,file.lnk; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21854; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_server,established; content:".lnk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2elnk[\x22\x27\s]/si"; flowbits:set,file.lnk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21855; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21856; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21857; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_client,established; content:".wrf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21861; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_server,established; content:".wrf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21862; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cov"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecov[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21865; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cov"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecov[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21866; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecpe[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21867; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecpe[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21868; rev:5; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_client,established; content:".gif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2egif[\x22\x27\s]/si"; flowbits:set,file.gif; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21872; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_server,established; content:".gif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2egif[\x22\x27\s]/si"; flowbits:set,file.gif; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21873; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_client,established; content:".pub"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epub[\x22\x27\s]/si"; flowbits:set,file.pub; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21884; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_server,established; content:".pub"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epub[\x22\x27\s]/si"; flowbits:set,file.pub; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21885; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.otf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21886; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_server,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.otf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21887; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_client,established; content:".mswmm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2emswmm[\x22\x27\s]/si"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21888; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_server,established; content:".mswmm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2emswmm[\x22\x27\s]/si"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21889; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dcr"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edcr[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21890; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dcr"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edcr[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21891; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dir"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edir[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21892; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dir"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edir[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21893; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eexe[\x22\x27\s]/si"; flowbits:set,file.exe; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21908; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eexe[\x22\x27\s]/si"; flowbits:set,file.exe; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21909; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file magic detection"; flow:to_client,established; file_data; content:"OTTO",depth 4; flowbits:set,file.otf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21999; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25|"; content:"|68|",within 1,distance 4; content:"|E8|",within 1,distance 4; content:"|FF FF FF|",within 3,distance 1; content:"|30|",within 1,distance 6; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:22002; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file download request"; flow:to_server,established; http_uri; content:".vap"; pcre:"/\x2evap([\?\x5c\x2f]|$)/smi"; flowbits:set,file.vap; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22025; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_client,established; content:".vap"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2evap\x22/i"; flowbits:set,file.vap; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22026; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_server,established; content:".vap"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2evap\x22/i"; flowbits:set,file.vap; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22027; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; flowbits:set,file.vap; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:22028; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file attachment detected"; flow:to_client,established; content:".m3u"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2em3u\x22/i"; flowbits:set,file.m3u; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22971; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY m3u playlist file file attachment detected"; flow:to_server,established; content:".m3u"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2em3u[\x22\x27\s]/si"; flowbits:set,file.m3u; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22972; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_client,established; content:".mp4"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp4\x22/i"; flowbits:set,file.mp4; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22993; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_server,established; content:".mp4"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp4\x22/i"; flowbits:set,file.mp4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22994; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_client,established; file_data; content:"|00 09 00 00 03|",depth 6; flowbits:set,file.wmf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:22999; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY download of RMF file - potentially malicious"; flow:established,to_client; file_data; content:"IREZ",depth 4; content:"MThd",distance 0; flowbits:set,file.rmf; metadata:policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:misc-activity; sid:17106; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Lotus 123 file attachment"; flow:to_server,established; content:".123"; content:"Content-Disposition|3A| attachment|3B|"; pcre:"/filename\s*=[^\n]*\.123/si"; metadata:policy security-ips drop,service smtp; reference:bugtraq,26200; reference:bugtraq,27835; reference:cve,2007-4222; reference:cve,2007-6593; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21285600; reference:url,www.coresecurity.com/index.php5?action=item&id=2008; classtype:suspicious-filename-detect; sid:12807; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPG video stream file download request"; flow:to_server,established; http_uri; content:".mpg",nocase; pcre:"/\x2empg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23167; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_client,established; content:".mpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2empg\x22/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23168; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_server,established; content:".mpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2empg\x22/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23169; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wma"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23188; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wma"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23189; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmv",nocase; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23190; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmv\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23191; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmv\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23192; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wm",nocase; pcre:"/\x2ewm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23193; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewm\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23194; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewm\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23195; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wax",nocase; pcre:"/\x2ewax([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23196; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wax"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewax\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23197; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wax"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewax\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23198; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wvx",nocase; pcre:"/\x2ewvx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23199; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wvx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewvx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23200; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wvx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewvx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23201; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".asx",nocase; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23202; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2easx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23203; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2easx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23204; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmx",nocase; pcre:"/\x2ewmx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23205; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23206; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23207; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TAR file download request"; flow:to_client,established; file_data; content:"ustar",depth 5,offset 257; flowbits:set,file.tar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:23322; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_client,established; content:".class"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eclass\x22/i"; flowbits:set,file.class; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23637; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_server,established; content:".class"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eclass\x22/i"; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23638; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 B3|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23639; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 BA|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23640; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_server,established; file_data; content:".RMF",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23645; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_server,established; file_data; content:"GIF8",depth 4,fast_pattern; content:"a",within 1,distance 1; flowbits:set,file.gif; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23647; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"ID3",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23648; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_server,established; file_data; content:"OggS|00|",depth 5; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23650; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|",depth 4; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23651; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|",depth 8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23652; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23653; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23654; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23655; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23656; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23657; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_server,established; file_data; content:"RIFX",depth 4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23658; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_server,established; file_data; content:"|7F|ELF",depth 4; flowbits:set,file.elf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23663; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23664; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"|FF FB 90|",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23666; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23667; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24457; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24458; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; flowbits:set,file.rtf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23670; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_server,established; file_data; content:"|CA FE BA BE|",depth 4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23676; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_server,established; file_data; content:"|CA FE D0 0D|",depth 4; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23677; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23678; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"CWS",depth 3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23679; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FWS"; byte_test:1,<,20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|",within 4,distance 1; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23680; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23681; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moov",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23682; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"ftyp",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23683; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mdat",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23684; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"free",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23685; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"XFIR",depth 4; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23687; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_server,established; file_data; content:"ER|02 00|",depth 4; flowbits:set,file.dmg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23691; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_server,established; file_data; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:23697; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_server,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|",depth 16; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23698; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_server,established; file_data; content:"ID|3B|P",depth 4,nocase; content:"|0A|",within 3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|",within 4; flowbits:set,file.slk; flowbits:noalert; metadata:service smtp; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:23701; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_server,established; file_data; content:"0&|B2|u",depth 4; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23703; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.oless.v3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23707; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_server,established; file_data; content:"II|2A 00|",depth 4; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23709; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_server,established; file_data; content:"MM|00 2A|",depth 4; flowbits:set,file.tiff.big; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23710; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23711; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|",depth 4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|",distance 0,fast_pattern; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23712; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_server,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; metadata:service smtp; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:23714; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access JSDB file magic detected"; flow:to_server,established; file_data; content:"Jet System DB"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23716; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access TJDB file magic detected"; flow:to_server,established; file_data; content:"Temp Jet DB"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23717; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access MSISAM file magic detected"; flow:to_server,established; file_data; content:"MSISAM Database"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23718; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_server,established; file_data; content:".rec|00|",depth 5; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23720; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_server,established; file_data; content:".r1m",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23721; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_server,established; file_data; content:"|23|EXTM3U",depth 7; flowbits:set,file.m3u; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:23723; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_server,established; file_data; content:"Shockwave 3D"; content:"XFIR",depth 4; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:23724; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; metadata:service smtp; classtype:misc-activity; sid:23725; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|",within 4,distance 1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:23727; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_server,established; file_data; content:"PICT",depth 4; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23729; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4,fast_pattern; content:"CDR",within 3,distance 4; flowbits:set,file.cdr; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:23731; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Media Player .asf file magic detected"; flow:to_server,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE FC F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|",within 16,distance 8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23732; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_server,established; file_data; content:"[playlist]",depth 11; flowbits:set,file.pls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23736; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"<smil>",depth 6; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:23737; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moof",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23738; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mfra",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23739; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"skip",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23740; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"junk",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23741; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"wide",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23742; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pnot",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23743; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pict",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23744; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meta",depth 4,offset 4; content:"hdlr",distance 0; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23745; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meco",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23746; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"uuid",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23747; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_server,established; file_data; content:"|00 01 00 00|"; content:"cmap",distance 0; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23748; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_server,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23749; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_server; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; flowbits:set,file.visio; flowbits:noalert; metadata:service smtp; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:23753; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"AVI LIST",within 8,distance 4; flowbits:set,file.avi.video; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23754; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_server,established; file_data; content:"|57 4F 54 46|"; flowbits:set,file.wrf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23755; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_server,established; content:"ITSF",depth 4; content:"ITSP",within 112; flowbits:set,file.chm; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:23757; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23758; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23759; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"WAVE",within 4,distance 4; flowbits:set,file.wav; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23760; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"AVI ",within 4,distance 4; flowbits:set,file.avi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23761; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_server,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23762; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_server,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23763; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; flowbits:set,file.vap; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23772; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24074; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_client,established; content:".mp3"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp3\x22/i"; flowbits:set,file.mp3; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24075; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_server,established; content:".mp3"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp3\x22/i"; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24076; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_client,established; content:".rmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ermf\x22/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24078; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_server,established; content:".rmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ermf\x22/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24079; rev:4; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_client,established; content:".wps"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewps\x22/i"; flowbits:set,file.works; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24080; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_server,established; content:".wps"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewps\x22/i"; flowbits:set,file.works; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24081; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file magic detected"; flow:to_client,established; file_data; content:"/* XPM */",depth 9; flowbits:set,file.xpm; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24190; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypmp4",depth 7,offset 4; flowbits:set,file.mp4; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24213; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"SMILtext",depth 8; flowbits:set,file.smil; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24218; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"SMILtext",depth 8; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24219; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_client,established; content:".tif"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etiff?\x22/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24463; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_server,established; content:".tif"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etiff?\x22/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24464; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"|00 09 00 00 03|",depth 6; flowbits:set,file.wmf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:24465; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_client,established; content:".flv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eflv\x22/i"; flowbits:set,file.flv; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24472; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_server,established; content:".flv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eflv\x22/i"; flowbits:set,file.flv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24473; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_client,established; file_data; content:"|90 01 00 00 00 00 4C 50|",depth 8,offset 28; content:"|00|",within 1,distance 49; flowbits:set,file.eot; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24483; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_server,established; file_data; content:"|90 01 00 00 00 00 4C 50|",depth 8,offset 28; content:"|00|",within 1,distance 49; flowbits:set,file.eot; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24484; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY rmf file download request"; flow:established,to_client; file_data; content:"IREZ",depth 4; flowbits:set,file.rmf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:attempted-user; sid:24509; rev:3; )
-alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"FILE-IDENTIFY Alt-N MDaemon IMAP Server"; flow:to_client,established; content:"MDaemon"; flowbits:set,server.mdaemon; flowbits:noalert; metadata:service imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:24599; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypiso",depth 7,offset 4; content:"mp4",within 3,distance 5; flowbits:set,file.mp4; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24816; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_server,established; file_data; content:"ftypiso",depth 7,offset 4; content:"mp4",within 3,distance 5; flowbits:set,file.mp4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24817; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V",depth 7,offset 4,nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24818; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_server,established; file_data; content:"ftypM4V",depth 7,offset 4,nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24819; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Computer Graphics Metafile file download request"; flow:to_server,established; http_uri; content:".cgm",fast_pattern,nocase; pcre:"/\x2ecgm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cgm; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24820; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_client,established; content:".cgm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecgm\x22/i"; flowbits:set,file.cgm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24821; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_server,established; content:".cgm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecgm\x22/i"; flowbits:set,file.cgm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24822; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JNLP file download request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/\x2ejnlp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24901; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_client,established; content:"jnlp"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ejnlp\x22/i"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24902; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_server,established; content:"jnlp"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ejnlp\x22/i"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24903; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_server,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole|file.oless.v3; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; flowbits:set,file.msi; metadata:service smtp; classtype:misc-activity; sid:25062; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file download request"; flow:to_server,established; http_uri; content:".tga",fast_pattern,nocase; pcre:"/\x2etga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tga; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25373; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_client,established; content:".tga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etga\x22/i"; flowbits:set,file.tga; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25374; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_server,established; content:".tga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etga\x22/i"; flowbits:set,file.tga; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25375; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/octet-stream",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25513; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/x-msdos-program",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25514; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25515; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole|file.oless.v3; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; flowbits:set,file.msi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25516; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Csound audio file file download request"; flow:to_server,established; http_uri; content:".csd"; pcre:"/\x2ecsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.csd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25604; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Csound audio file file attachment detected"; flow:to_client,established; content:".csd"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecsd\x22/i"; flowbits:set,file.csd; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25605; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Csound audio file file attachment detected"; flow:to_server,established; content:".csd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=(?P<q1>\x22|\x27|)[^\x22\x27\r\n]*?\x2ecsd(?P=q1)/i"; flowbits:set,file.csd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25606; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogg",fast_pattern,nocase; pcre:"/\x2eogg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25928; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogg\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25929; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogg\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25930; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogv",fast_pattern,nocase; pcre:"/\x2eogv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25931; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogv\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25932; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogv\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25933; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".oga",fast_pattern,nocase; pcre:"/\x2eoga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25934; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".oga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eoga\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25935; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".oga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eoga\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25936; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogx",fast_pattern,nocase; pcre:"/\x2eogx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25937; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25938; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25939; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".spx",fast_pattern,nocase; pcre:"/\x2espx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25940; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".spx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2espx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25941; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".spx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2espx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25942; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".opus",fast_pattern,nocase; pcre:"/\x2eopus([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25943; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".opus"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eopus\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25944; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".opus"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eopus\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25945; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:26057; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26058; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file download request"; flow:to_server,established; http_uri; content:".htc",fast_pattern,nocase; pcre:"/\x2ehtc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.htc; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26126; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_client,established; content:".htc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ehtc[\x22\x27\s]/si"; flowbits:set,file.htc; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26127; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_server,established; content:".htc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ehtc[\x22\x27\s]/si"; flowbits:set,file.htc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26128; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:26251; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF",within 3,distance 14; content:"GSUB",within 4,distance 12; flowbits:set,file.swf.cff; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25680; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF",within 3,distance 14; content:"GSUB",within 4,distance 12; flowbits:set,file.swf.cff; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25682; rev:3; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_client,established; content:".metalink"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emetalink[\x22\x27\s]/si"; flowbits:set,file.metalink; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26422; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_server,established; content:".metalink"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emetalink[\x22\x27\s]/si"; flowbits:set,file.metalink; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26423; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Metalink File file download request"; flow:to_server,established; http_uri; content:".metalink"; pcre:"/\x2emetalink([\?\x5c\x2f]|$)/smi"; flowbits:set,file.metalink; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26424; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26456; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26457; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Stream redirector file download request"; flow:to_server,established; content:".asx"; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26458; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet file download attempt"; flow:to_server,established; http_uri; content:"|2E|maplet"; pcre:"/\x2Emaplet([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26514; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_client,established; content:".maplet"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26515; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_server,established; content:".maplet"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26516; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet bin file download attempt"; flow:to_server,established; http_uri; content:"|2E|bin"; pcre:"/\x2Ebin([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26517; rev:2; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet bin file attachment detected"; flow:to_client,established; content:".bin"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26518; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY maplet bin file attachment detected"; flow:to_server,established; content:"maple.bin"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26519; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Android APK download request"; flow:to_server,established; http_uri; content:".apk"; pcre:"/\x2eapk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.apk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26902; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_client,established; content:".apk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eapk[\x22\x27\s]/si"; flowbits:set,file.apk; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26903; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_server,established; content:".apk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eapk[\x22\x27\s]/si"; flowbits:set,file.apk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26904; rev:1; )
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_client,established; content:".skp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eskp[\x22\x27\s]/si"; flowbits:set,file.skp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:27275; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_server,established; content:".skp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eskp[\x22\x27\s]/si"; flowbits:set,file.skp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:27276; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Trimble SketchUp file download request"; flow:to_server,established; http_uri; content:".skp"; pcre:"/\x2eskp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.skp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:27277; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_client,established; file_data; content:"|03 F3 0D 0A|",depth 4; flowbits:set,file.pyc; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:27542; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_server,established; file_data; content:"|03 F3 0D 0A|",depth 4; flowbits:set,file.pyc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:27543; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Oracle Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:4,>,59000,0,relative,big; byte_test:4,>,32000,4,relative,big; byte_test:1,>,7,8,relative; content:"|06|",within 1,distance 9; content:"|01|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3126; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16186; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",fast_pattern; content:"tEXt",distance 0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:6700; rev:18; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|EB 06 44 00|",distance 0; content:"|42 42 42 42|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|",within 4,distance 269; content:"|42 42 42 42|",within 4,distance 37; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe tiff oversized image length attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|14 01 00 00 01 01 04 00 01 00 00 00 01 01 01 01 02 01 03 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16321; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:21160; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:11; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23590; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23589; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe Photoshop TIFF malicious SGILOG-compressed data attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.protekresearchlab.com/index.php?option=com_content&view=article&id=40&Itemid=40; classtype:attempted-user; sid:21948; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"FILE-IMAGE CUPS Gif Decoding Routine Buffer Overflow attempt"; flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28544; reference:cve,2008-1373; classtype:attempted-user; sid:17558; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime uncompressed PICT stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|",distance 0,fast_pattern; content:"|82 01|",distance 0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|01 00 09 00|"; pcre:"/(\x40\x09.{19}|\x41\x0b.{23})[\xf0-\xff].{8}\x01\x00[\x00\x01\x02\x04\x08\x10\x18\x20]\x00/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:15105; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows Flashpix graphics filter fpx32.flt remote code execution attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FE FF 00 00|"; content:"|00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00 00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B|",within 36,distance 4; byte_jump:4,0,relative,little; byte_test:4,>,0,-44,relative; content:"|00 00 00 00|",within 4,distance -40; byte_jump:4,0,relative,little; byte_test:4,>,0x100,-8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3951; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18237; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime FlashPix Movie file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft FlashPix tile length overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF 5F 00 00 02 00 00 00 00 11 01 FE 56 0B 00 00 3C 0A 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3952; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18229; rev:11; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22109; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22108; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22107; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22106; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|01|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22105; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22104; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x7ffffff,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25065; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25066; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 0C|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 0C|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26372; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 09|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26373; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 09|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26374; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",fast_pattern; content:"tEXt",distance 0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:26865; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24511; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26717; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26716; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|5B C7 59 FF 46 2B ED 9B 95 65 7B 3D EB B5 AD D8|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26588; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/jmx/mbeanserver/Introspector"; content:"findClass"; content:"com.sun.jmx.mbeanserver.MBeanInstantiator"; content:"declaredMethods"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26587; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26552; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26551; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26550; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26549; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26500; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26499; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"disableSecurityManager"; content:"java/lang/reflect/Field",nocase; content:"getSecurityManager",nocase; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26487; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"disableSecurityManager"; content:"java/lang/reflect/Field",nocase; content:"getSecurityManager",nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26486; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26485; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26484; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java known malicious jar file download - specific structure"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Foo.class"; content:"trash/A.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26439; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; http_header; content:"filename="; content:".zip|0D 0A|",distance 0; file_data; pkt_data; content:"PK",depth 2; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26292; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26200; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26199; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26198; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26197; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26196; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26195; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_server,established; file_data; content:"GenericConstructor",nocase; content:"sun.invoke.anon",nocase; content:"ManagedObjectManagerFactory"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:26186; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_client,established; file_data; content:"GenericConstructor",nocase; content:"sun.invoke.anon",nocase; content:"ManagedObjectManagerFactory"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:26185; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25834; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"exploit",nocase; content:".classPK",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2013-0422; classtype:attempted-user; sid:25833; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK",distance -800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25832; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25831; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit",nocase; content:".classPK",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; classtype:attempted-user; sid:25830; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java obfuscated jar file download attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Obfuscation by Allatori Obfuscator"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:25562; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK",distance -800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25472; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit/",nocase; content:".class",within 20,nocase; pcre:"/exploit\/(Exploit(App)?|Loader)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:cve,2012-4681; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25123; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"poc/",nocase; content:".class",within 20,nocase; pcre:"/poc\/(Exploit|myClassLoader|pocMain|runCmd)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25122; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"msf/x/PayloadX$StreamConnector.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25121; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_server,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:25006; rev:3; )
-alert tcp any any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|",depth 4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0499; reference:url,osvdb.org/show/osvdb/79226; classtype:attempted-user; sid:24915; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|",depth 4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0499; reference:url,osvdb.org/show/osvdb/79226; classtype:attempted-user; sid:24701; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24510; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; http_header; content:"Content-Encoding|3A|",nocase; content:"pack200-gzip",within 20,nocase; file_data; pkt_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|",within 50,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Web Start JNLP attribute buffer overflow attempt"; flow:to_client,established; file_data; content:"<j2se",nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x22[^\x22]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18244; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AppletX"; pcre:"/\x3C\s*applet[^\x3E\n$]*code\s*=\s*[\x27\x22]AppletX[\x22\x27][^\x3E\n$]*archive\s*=\s*[\x22\x27][^\s\x3E\n$]{32}\x2Ejar[\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:19926; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-JAVA Oracle Java Web Start BasicServiceImpl security policy bypass attempt"; flow:to_server,established; http_uri; content:"java.security.policy"; pcre:"/jnlp\x22\x09\x22-J-Djava\.security\.policy/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43999; reference:cve,2010-3563; classtype:attempted-user; sid:20430; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x27[^\x27]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:20444; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_client,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:23614; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-admin; sid:24026; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"AccessControlContext"; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24028; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24201; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24202; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24126; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24125; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24085; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24084; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:to_client,established; file_data; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz",nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client; flowbits:isset,file.psfont; file_data; content:"|CF F9 2A 69 CE 32 21 93 B1 0D 9E 89 77 CD DD 58 3A C0 0C 33 A1 9F A4 4C E9 D0 66 FB CD 2D F1 B8 3E F8 FF 09 7D 7E 94 CA 6C 78 5C 7E FF 42 D1 B8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"atomic"; content:"AtomicReferenceArray",within 20,distance 1; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21666; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|35 37 32 37 32 36 35 36 45 37 34 32 45 36 31 37 34 36 46 36 44 36 39 36|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21665; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|33 36 35 37 30 37 34 36 39 36 46 01 00 2C 36 45 30 31 30 30 30 36 36 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21664; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24058; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24057; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24056; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24055; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B1 00 02 00 06 00 20 00 23 00 48 00 04 00 3E 00 45 00 48 00 00 00 09 00 16 00 4A 00 01 00 0B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23277; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|07 02 36 0B 43 07 02 39 0B 43 07 02 3C 0B 43 07 02 3F 0B 43 07 02 42 0B 43 07 02 45 0B 43 07 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23276; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 01 00 0B 00 00 00 3D 00 06 00 02 00 00 00 1C 04 3C 2A B2 00 12 B2 00 18 1B 04 64 B2 00 18 BE|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23275; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 25 B6 00 12 B8 00 2B A7 00 08 4C 2B B6 00 31 B1 00 01 00 00 00 30 00 33 00 36 00 02 00 0A 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23274; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; flowbits:isset,file.zip; file_data; content:".classPK",nocase; pcre:"/(sIda\/sId|urua\/uru)[abcd]\.classPK/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23273; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52013; reference:cve,2012-0501; reference:url,osvdb.org/show/osvdb/79228; classtype:attempted-user; sid:23243; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; content:"Payload.class",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:20622; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,52013; reference:cve,2012-0501; reference:url,osvdb.org/show/osvdb/79228; classtype:attempted-user; sid:23560; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java attempt to write in system32"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/io/FileInputStream",nocase; content:"|5C|system32|5C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:policy-violation; sid:21056; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27076; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27077; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27190; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27191; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd",within 4,distance 4; content:"ima4",distance 8; content:"stsc",distance 0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|",within 5,distance 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|",distance 0; byte_test:2,>,251,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|",nocase; content:"|00 00 00 0D|",within 4,distance -9; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'titl' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"<time ",nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-5036; classtype:attempted-user; sid:15166; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS",depth 4; content:"|82|theora",distance 0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"RIFF"; content:"WAVEfmt",distance 4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks SMIL wallclock stack overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smi",nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23576; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23575; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23574; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23573; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23572; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23571; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23570; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|00 00 00 1B 00 00 B0 00 90 00 8F 10 00 00 30 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:19403; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST",depth 8,offset 8; content:"hdrlavih",within 8,distance 4; content:"INFO",distance 0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI ",within 4,distance 4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15104; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih8|00 00 00|",within 12,distance 4; isdataat:!56,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih",within 8,distance 4; byte_test:4,!=,56,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed avi file mjpeg compression arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"P.|00 00 10|'|00 00 00 00 00 00 00 00 00 00|@|01 F0 00|strf|28 00 00 00 28 00 00 00|@|00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"00dc|52 0A 00 00 01 00 0A 52 00 50 00 3C 55 55 11 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:17128; rev:11; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_server,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih8|00 00 00|",within 12,distance 4; isdataat:!56,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23569; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih",within 8,distance 4; byte_test:4,!=,56,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23568; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF",depth 4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF",depth 4; content:"QLCMfmt|20|",within 8,distance 4; byte_test:4,>,220,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds",within 4,distance 4,fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf",within 4; content:"U|00|",within 2,distance 4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh",fast_pattern,nocase; byte_jump:4,0,relative,little; content:!"strf",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U",depth 7,nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16752; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16751; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<trackList><track>",nocase; content:"<identifier>-",distance 0; content:"</track></trackList>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; pcre:"/meta\s*name\x3d\s*(?P<q1>(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|",distance 1,nocase; isdataat:1024,relative; content:!"|22|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL wallclock parsing buffer overflow"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"smil ",nocase; content:"wallclock|28|",distance 0,nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI",nocase; content:"<STYLE",distance 0,nocase; content:"text/css",within 200,nocase; isdataat:600,relative; content:!"</STYLE",within 600; pcre:"/\x3Cstyle[^\x3E]+?type\s*\x3D\s*(?P<q>(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|",fast_pattern,nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|",distance 0,nocase; byte_test:4,>,low,94,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:9; )
-alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; content:"RIFF",depth 100; content:"AVI ",within 4,distance 4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:23943; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 01 A6 73 65 61 6E 00 00 00 01 00 00 00 04 00 00 00 00 00 00 41 41 70 64 61 74 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26342; reference:cve,2007-4675; reference:url,docs.info.apple.com/article.html?artnum=306896; classtype:attempted-user; sid:17373; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-MULTIMEDIA Apple QuickTime user agent"; flow:to_server,established; http_header; content:"User-Agent|3A| QuickTime"; flowbits:set,quicktime_agent; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,service http; classtype:misc-activity; sid:13515; rev:10; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk",nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg",distance 0; byte_test:2,>,0x7000,14,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg",distance 0; byte_test:2,>,0x7000,14,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24550; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov",nocase; content:"trak",distance 0,nocase; content:"mdia",distance 0,nocase; content:"minf",distance 0,nocase; content:"stbl",distance 0,nocase; content:"stsd",distance 0,nocase; content:"avc1",distance 0,nocase; content:"avcC",distance 0,nocase; content:"|FF E1|",within 2,distance 4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4|file.m4v; content:"moov",nocase; content:"trak",distance 0,nocase; content:"mdia",distance 0,nocase; content:"minf",distance 0,nocase; content:"stbl",distance 0,nocase; content:"stsd",distance 0,nocase; content:"avc1",distance 0,nocase; content:"avcC",distance 0,nocase; content:"|FF E1|",within 2,distance 4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy balanced-ips alert,policy security-ips alert,service smtp; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24641; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST",depth 8,offset 8; content:"hdrlavih",within 8,distance 4; content:"INFO",distance 0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:24955; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ogg; file_data; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25298; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|E9 7F 58 02 18 00 72 64 33 6D 5E 2C 6D 5E 2C 6D|"; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25376; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25377; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|E9 7F 58 02 18 00 72 64 33 6D 5E 2C 6D 5E 2C 6D|"; metadata:policy balanced-ips drop,service smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25378; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,service smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25379; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25796; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<trackList><track>",nocase; content:"<identifier>-",distance 0,nocase; content:"</track></trackList>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-4558; classtype:attempted-user; sid:25797; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//",nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|",depth 12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; content:"<param ",nocase; content:"URL",distance 0,nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,osvdb.org/show/osvdb/57162; classtype:attempted-user; sid:16738; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:26472; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple iTunes playlist overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http",offset 7,nocase; content:"://",within 4; isdataat:550,relative; content:!"|0D|",within 1000; content:!"|0A|",within 1000; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2005-0043; classtype:attempted-user; sid:26667; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]",depth 10,nocase; isdataat:1000; content:"File",distance 0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_client,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:11836; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel REPT integer underflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"|3D|rept|28|",nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,31706; reference:cve,2008-4019; classtype:attempted-user; sid:17734; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section header index table stack overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27658; reference:cve,2008-0105; classtype:attempted-user; sid:17304; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word information string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF 00 00|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|",within 16,distance 24; byte_jump:4,0,relative,little,post_offset -48; byte_extract:4,0,sectLength,relative,little; content:"|1E 00 00 00|",within sectLength; byte_test:4,>,2147483647,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7203; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; content:"|13 08 00 00 00 00 00 00 00 00 00 00|",within 12,distance 2; pcre:"/^(.{3}[\x80-\xFF]|.{7}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16647; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 10 10 00|"; content:"|33 10 00 00|",within 4,distance 16; content:"|54 08 0C 00 54 08 00 00|",distance 0; content:"|55 08 0C 00|",distance 8; content:"|55 08 0C 00|",within 4,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16643; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|13 00|",within 2,distance 20; byte_test:2,>,1024,18,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,osvdb.org/show/osvdb/65236; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16638; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16639; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|0E 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16640; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|0E 00|",within 2; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16641; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:19133; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:19134; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 00 00 00 FF FF FF FF 00 11 6D 79 63 6F 6D 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40525; reference:cve,2010-1247; classtype:attempted-user; sid:19412; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft VBE6.dll stack corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|50 00 6F 00 69 00 6E 00 74 00 20 00 44 00 6F 00 63 00 75 00 6D 00|"; content:"|01 00 C3 0F 18 00 00 00|",distance 0; content:"|00 00 00 00|",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39931; reference:cve,2010-0815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-031; classtype:attempted-user; sid:16593; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9",distance 0; content:"|0A 24|",distance 0; isdataat:92,relative; content:!"|0A|",within 92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:18331; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed table record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 13 3A FF FF FF 8C 0F 00 00 F0 38 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17124; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumOfColumns,relative; byte_jump:2,-3,relative,little; content:"|20 D6|",within 2,distance -1; byte_test:1,>,NumOfColumns,2,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38218; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:18535; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C|sp"; content:"|5C|sn",within 100,nocase; content:"pFragments",within 100,nocase; content:"|5C|sv",within 100,nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18067; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|65 08|",distance 0; byte_test:1,&,0x80,19,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17757; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word XP PLFLSInTableStream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 51 4A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17756; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D111B16A00C0F0283628"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21797; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D1116ab1283628f0c000"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21798; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"E0F86B9944805046EBAD9CE91439010B"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21799; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"B69041C78985D1116AD1283628F0C000"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21800; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"5FDC81917DE08A41A6AC"; pcre:"/5FDC81917DE08A41A6AC(E9B8ECA1EE.8|.98ECB1EEA8E)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21801; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 00 00 00 1F 00 44 F1 F8 00 00 00 00|"; content:"|00 00 00 19 00 00 00 0F 00 2E F1 00 00 00 00 0F 00 2E F1 A0 00 00 00 00 00 3A F1 08 00 00 00 01|",within 32,distance 32; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:21647; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 0B 00 0B 00 00 00 00 00 00 00 AA 00 00 00 03 A0 41 41 41 FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,osvdb.org/show/osvdb/77671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:21243; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:16800; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 0B 00 51 10 08 00 00 01 01 00 FF 00 00 00 27 10 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0549; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:18399; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 00 02 00 00 00 00 07 00 3A 00 00 00 00 00 00|"; content:"|51 10 13 00 01 02 00 00 00 00 0B 00 3B 00 00 00 00 00 00 01 00 03 00|",within 23,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18740; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 19 1D 00 04 04 01 00 01 00 F2 68 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2010-2569; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18212; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 97 conversion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 FF FF 67 7E 66 00 48 D4 03 00 57 D7 03 00 FF FF 14 00 1A|"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2010-2571; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18214; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 75 00 14 00 01 00 40 00 00 00 90 22 BD 04 FF FF 00 00 12 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 01 00 00 00 00 00 04 42 03 FF 00 01 00 24|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17758; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 91 00 07 00 01 00 41 00 00 00 E0 29 BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 30 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17764; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid SerAr object exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02 00 00 00 00 00 04 42 03 FF 00 02 00 00 B6 1E 00 00 5B 44 65 70 74 5D 2E 5B 57 73 7A 79 73 74 6B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17759; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 11 6D 79 63 6F 6D 61 64 64 69 6E 2E 70 72 6F 67 69 64 00 0B 4C 4F 52 45 4D 5F 49 50 53 55 4D 05 50 72 69 63 65 10 00 00 00 2A 00 00 00 00 00 00 00 EA 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17760; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 00 00 00 2A 00 00 00 00 00 00 00 41 41 13 08 4F 00 13 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18806; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|08 20 E0 AC 01 00 09 C0 6E 00 00 00 41 00 41 00|",within 16,distance 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3954; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18230; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1 F8 00 00 00 00 00 27 F1 20 00 00 00|"; content:"|0F 00 3D F1 00 00 00 00 0F 00 31 F1 A0 00 00 00|",within 16,distance 32; content:"|1F 00 2C F1 18 00 00 00 00 00 28 F1 10 00 00 00|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:18635; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio deserialization double free attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 BF 8E 22 BD 3E 68 9C 83 00 00 01 00 1D 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18415; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Data Type Memory Corruption"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|80 12 00 0F 00 41 41 38 A4 EF 66 04 00 02 EC F0|"; content:"|56 41 52 43 48 41 A1 52 DC FF|",within 10,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46138; reference:cve,2011-0093; classtype:attempted-user; sid:18755; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|F2 04 58 41 03 00 47 00 00 00 42 00 00 00 00 00 7B DA 02 EB F0 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18417; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 98 0C 3C BF 61 D1 D2 C9 00 00 01 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18416; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|9A 00 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:20029; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 1F 00 44 F1 F8 00 00 00 00 00 27 F1|"; content:"|19 00 00 00 0F 00 3D F1 00 00 00 00 0F 00 31 F1|",within 16,distance 32; content:"|FF FF FF FF 1F 00 32 F1 18 00 00 00 00 00 28 F1|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:19811; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 00 00 00 00 00 00 00 00 00 00 01 32 00 31 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19459; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 3E C6 FF 41 41 41 41 00 00 00 01 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19458; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher pubconv.dll corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|39 00 39 00 39 00 39 01 1D 00 04 04 01 00 01 00 E2 00 01 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45277; reference:cve,2010-2569; classtype:attempted-user; sid:19306; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray parsing attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 20 02 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 00 10 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18948; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18538; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice.org Microsoft Office Word file processing integer underflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|08 D6 05 80 05 94 FF E0 10 2C 22 00 06 4C 11 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38218; reference:cve,2009-3301; classtype:attempted-user; sid:18536; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Global Array Index Heap Overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|22 B0 08 07 23 90 A0 05 24 90 A0 05 33 50 00 19 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:17560; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:17542; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17539; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|",depth 20,offset 688; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17538; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17537; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|",within master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:13971; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:13572; rev:16; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed formula parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|07 C9 C0 00 00 06 03 00 00 18 00 FF 02 00 00 02 7C 7C 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28167; reference:cve,2008-0115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:17655; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|",distance 0; byte_test:2,<,8,0,relative,little; content:"|51 08|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:14641; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|8C 00 04 00|"; byte_test:2,>,5,0,relative,little; content:"|18 00|",within 2,distance 4; content:"|20 00|",within 2,distance 2; byte_test:2,>,14,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-074; classtype:attempted-user; sid:13972; rev:16; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|0D 14 00 03 00 01 00 16 00 03 00 01 01 02 FF 00 A4 02 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:15299; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 02 0B|@|00 00 00 00 00 00 00 00 FE 00 FF 00 90 03 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:16318; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|",within 4; content:"|BA 0F 00 00|",within length; byte_test:4,>,0x100,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15499; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16586; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16234; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:17695; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint LinkedSlide memory corruption"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_test:4, >, 1000000, 4, relative, little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15500; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+",within 3,distance 5; isdataat:4,relative; content:!"|04 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15505; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_jump:4,4,relative,multiplier 16,little; content:"|00 00 E6|.|08 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16410; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|",within 4,distance 4; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15506; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 08|"; content:"|06 08|",within 2,distance 2; byte_test:1,&,0x10,16,relative; byte_test:1,!&,0x40,16,relative; byte_test:4,>,0,18,relative,little; content:"|07 08|",distance 0; content:"|07 08|",within 2,distance 2; byte_test:1,&,8,2,relative; byte_test:1,<,0x10,2,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:15542; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FeatHdr BIFF record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"g|08|"; content:"|04 00|",within 2,distance 14; content:"|04 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16241; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Malformed IconBitsComponent arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00| |00| |FF 00 00 14 01 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:15303; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SST record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|FC 00|",distance 0; byte_test:4,>,0,2,relative,little; byte_test:4,>,0x10000000,6,relative,little; byte_test:2,>,10,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_jump:2,0,relative,little; pcre:"/^(\xFF|\x3C)\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36042; reference:cve,2009-0561; reference:cve,2009-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; classtype:attempted-user; sid:15541; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,!&,0x07,0,relative,little; byte_test:1,&,0x48,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16471; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x03,0,relative,little; byte_test:1,&,0x40,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16470; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x06,0,relative,little; byte_test:1,&,0x08,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16469; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18066; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher oversized oti length attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|2C 01 04 00|",within 4,distance 2; byte_test:2,>,94,26,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3955; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18231; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|01 2C 01 2B 01 2A 01 2F 01 2E 01 2D 01 52 00 12 12 00 00 00|"; content:"|02 00 13 00|",within 4,distance 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35599; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:19932; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|09 08 10 00 00 06|",distance 0; content:"|1E 04|",distance 0,fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:19552; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed index code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 00 60 00 0C 14 FF 00 04 61 D5 00 B0 00 08 00 53 00 75 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43766; reference:cve,2010-2750; classtype:attempted-user; sid:19153; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:16188; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|",distance 0; content:"|47 00 00 00|",distance 0; content:"|08 00 00 00 28 00 00 00|",within 8,distance 8; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18265; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:17646; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:17308; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word document stream handling code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,25567; reference:cve,2007-0870; classtype:attempted-user; sid:17368; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IMDATA buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,21856; reference:cve,2007-0027; classtype:attempted-user; sid:17362; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|",within 12,distance 23; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:17301; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17770; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 00 01 18 E8 AC 02 68 43 43 43 00 03 20 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27739; reference:cve,2008-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-012; classtype:attempted-user; sid:13470; rev:15; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 10 00 00 00 00 00 00 00|"; byte_test:4,>,2147483648,0,relative,little; content:"|00 00 10|",within 3,distance 5; content:"@|00 00 FF FF 01 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15467; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|F6 03 00 00 FF 7F 12 D6 FC 12 D6 FC|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15524; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|07 07 07 52 07 45 07 50 07 52 07 4F 07 07 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17742; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 E9 62 F9 FF FF 13 98 FE 0C|4|00 FF 8F FF E7 40 40 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17691; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15525; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 01 00 00 00 01 00 68 01 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17690; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|C0 00 00 00 16 00 00 00 C8 00 00 00 0D 00 00 00 D0 00 00 00 0C 00 00 00 E1 00 00 00|"; byte_test:4,>,357913941,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-073; classtype:attempted-user; sid:16314; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel ptg index parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 05 1E 02 00 1E 03 00 05 1E 04 00 05 1E 05 00 05 1E 06 00 05 1E 03 00 1E 04 00|B|04|G|00 D7 00 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16553; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16226; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16177; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16178; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel oversized ptgFuncVar cparams value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|J|00|"; content:"|03 1E 0A 00|B|04|G|00|",within 8,distance 66; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16233; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio improper attribute code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00| |00|h|00 00 00 02|U|00 00 F8 00 00 00 00 00 00 00|@"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16535; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio off-by-one in array index code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"h|00 07 00 01|T|00 00 C8 01 00 00 00 00 00 00|I|00 00 00 00 00 00 F0|?A|00 00 00 00 00 00 E0|?A|00 00 00 00 00 00 B0|?A|00 00 00 00 00 00 B0 BF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16536; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 01 00 01 00 00 02|"; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02|",within 21,distance 12; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 02 00 02 00 00 02|",within 21,distance 74; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16463; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B 00 00 01 00 01 00 00 00 02 00|"; content:"|3B 00 00 00 00 00 00 00 00 02 00|",within 11,distance 12; content:"|3B 00 00 02 00 02 00 00 00 02 00|",within 11,distance 92; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16462; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel uninitialized stack variable code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:">|02 12 00 B6 06 00 00 00 00|@|00 00 00 00 00 00 00 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00 9A 00 06 00 FF FF 00 00 00 00 0A 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16466; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16644; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16645; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16646; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 1"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 01 00 00 00 FF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16648; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 1"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|b|00|j|00|e|00|c|00|t|00|P|00|o|00|o|00|l|00|"; content:"|18 00 01 01 FF FF FF FF FF FF FF FF 06 00 00 00 27 03 23 53 2B 17 D0 11 AD 40 00 A0 C9 0D C8 D9|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17038; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|01 08 5B 05 68 45 DE 11 13 6D 48 7B 07 7D 28 F0 6D 48 44 06 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:17119; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 0D 00 00 00 B0 0F 00 00 FF FF 00 00 8C 01 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18065; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word bookmark bound check remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 62 00 00 00 75 00 00 00 7E 00 00 00 8A 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17754; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17755; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GhostRw record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 00 05 19 40 00 01 1E 01 00 19 40 00 01 03 1F 00 00 00 00 00 00 10 41 1E 00 04 05 19 40 00 01 1E 01 00 19 40 00 01 03 1E 10 00 1E 00 01 05 19 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17763; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed MsoDrawingObject record attempt"; flow:established, to_client; flowbits:isset,file.xls; file_data; content:"|18 6A CB 01 70 7E 13 F2 DE 6E CB 01 06 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18068; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17406; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17404; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office TIFFIM32.FLT filter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 02 00 03 00 00 FF FF 00 00 0D 00 01 03 00 03 00 00 00 01 00 03 00 00 01 06 00 03 00 00 00 01 00 00 00 00 01 0A 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3949; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18236; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt"; flow:to_client,established; file_data; content:"|29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18643; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|25 56 00 FF 05 D6 18 04 01 00 00 04 01|",fast_pattern; content:"|08 D6 1A 00 01 94 FF 2C 22 00 06 98 22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18642; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office BpscBulletProof uninitialized pointer dereference attempt"; flow:to_client,established; file_data; content:"|0F 00 03 18 79 3B 00 00 0F 00 04 F0 48 05 00 00 01 00 09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1982; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; classtype:attempted-user; sid:20129; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"|0A|P|3B|PAAAA"; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:20049; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:17310; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|00 00 29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:19707; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 00 05 00 00 00 07 08 00 00 0F 00 EF 03 00 00 00 00 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38073; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:19442; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:19156; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 3"; flow:to_client,established; file_data; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18541; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:18514; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt"; flow:to_client,established; file_data; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34880; reference:cve,2009-0225; classtype:attempted-user; sid:17565; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Object Handler Validation Code Execution attempted"; flow:to_client,established; file_data; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29158; reference:cve,2008-0119; classtype:attempted-user; sid:17383; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Object Header Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HATCH|0D 0A|",nocase; pcre:!"/^\s*[1-9][0-9]*\x0d\x0a/R"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2008-1090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-019; classtype:attempted-user; sid:13665; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:2,>,32767,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:13970; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; http_uri; content:".ppt",nocase; pcre:"/[^\x5C\x2F\x3A\x2A\x3F\x22\x3C\x3E\x7C\x3D\s]{256}\x2Eppt($|\x3f)/i"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16409; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Adobe Font Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|E0 98 FF FF FF E1 FF 5F FF E2 DF E0 DE 71 DE 9E DE 71 DC 83|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3956; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18233; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; file_data; content:"|C0 9C 83 4A FF F8 CE 11 A0 6B 00 AA 00 A7 11 91 30 00 00 00|"; content:"T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00 00 00 41 00 00 00|",distance 0; content:"|28 00 00 00|",within 4,distance 4; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18398; rev:9; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"bGU6Ly9jOlx3aW5kb3dz",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17036; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"aWxlOi8vYzpcd2luZG93",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17035; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"ZmlsZTovL2M6XHdpbmRv",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17034; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|5C|sp"; content:"|5C|sn",within 100,nocase; content:"pFragments",within 100,nocase; content:"|5C|sv",within 100,nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18310; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 file format arbitrary code execution attempt"; flow:to_client,established; file_data; content:"R|00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:15681; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 2"; flow:to_client,established; file_data; content:"|87 0C 14 B9 C6 B7 BD BB 1A|x?|9F EE 0A|P|1C D1 B5|8xG|06 BE 88 E1|X|DF DE|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16468; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 1"; flow:to_client,established; file_data; content:"Zsk|C9 23 EF E2|@A|3A 97 98|<f|81 E9 AA|yH|84 1D|[|A2 EC|{|FD 5C 14|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16467; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 2"; flow:to_client,established; file_data; content:"CLASSID|3D 22|CLSID|3A|53230327-172B-11D0-AD40-00A0C90DC8D9|22| data|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17039; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:18200; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17405; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"aWxlOi8vYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxj"; pcre:"/^[A-Za-z0-9\\x2b\x2f][GWm2]V4ZT9vb29v[A-Za-z0-9\\x2b\x2f][GWm2]Rh/R"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:20247; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"bGU6Ly9jOlx3aW5kb3dzXHN5c3RlbTMyXGNhbG"; pcre:"/^[MNOP][A-Za-z0-9\\x2b\x2f]ZXhlP29vb2[89+/][A-Za-z0-9\\x2b\x2f]ZGF0/R"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:20246; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"xNzIuMTYuOC4zOS9wdWJsaWMvZXhwbG9pdC5leGU"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19407; rev:6; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"ZmlsZTovL2M6XHdpbmRvd3Ncc3lzdGVtMzJcY2FsYy5leGU/b29vby5kYXQK"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19406; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_client,established; file_data; content:"file://c:|5C|windows|5C|system32|5C|calc.exe?oooo.dat"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19405; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|importprf",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2fimportprf/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:13573; rev:14; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters XST parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 90|hNIr|8F 1E 23 FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F 00 00 01 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 10 00 00 0F 84|h|01 11 84 98 FE|^|84|h|01|`|84 98 FE|o|28 00 87|h|00 00 00 00 88|H|00 00|BB"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15455; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 10 00 00 00|Nullcode.com.ar|00 03 00 00 00 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15466; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|4E 08 7D EB|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21896; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8B 8D DA 58|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21897; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|00 36 D8 F4|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21898; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|B1 3C C1 6A|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21899; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8E 7E E1 E6|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21900; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|A3 E8 13 07|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21901; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|",distance 0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:17250; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 51 10 1D 00 01 02 00 00 00 00 15 00 3B FF FF 00 00 00 00 00 00 01 00 13 00 13 00 01 00 01 00 00 02 51 10 1D 00 02 02 00 00 00 00 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21942; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 08 00 00 01 00 00 00 00 00 00 51 10 13 00 01 02 00 00 00 00 0B 00 3B 01 00 02 00 02 00 00 00 02 00 51 10 13 00 02 02 00 00 00 00 0B 00 3B 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21943; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice OLE file stream buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|",nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:17315; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; byte_test:2,>=,0,8,little,relative; byte_test:2,<=,0x7ef4,8,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22091; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; content:"|FF 7F|",within 2,distance 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:23009; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|98 08 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:23010; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|altvba",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2faltvba/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:23211; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23526; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23527; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:23534; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; content:"P|00|P|00|4|00|0|00|",within 8,distance 108; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-0220; reference:cve,2009-0223; reference:cve,2009-0226; reference:cve,2009-0227; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23535; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|",within 4,distance 4; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23536; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+",within 3,distance 5; isdataat:4,relative; content:!"|04 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23537; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|",within 4; content:"|BA 0F 00 00|",within length; byte_test:4,>,0x100,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23538; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:23539; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23540; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23541; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:23542; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|13 00|",within 2,distance 20; byte_test:2,>,1024,18,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,osvdb.org/show/osvdb/65236; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23544; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23545; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|0E 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23546; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|0E 00|",within 2; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23547; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23550; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23552; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23554; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:23555; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_client,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0167; classtype:attempted-user; sid:23989; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_server,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0167; classtype:attempted-user; sid:23992; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Times|20|New|20|Roman|20|Cyr|03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41|"; content:"|41 41 41 41 28 AE 12 00 41 41 41 41 58 17 DD 77|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18616; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|00 00 00 00 A2 04 00 00 00 00 4E 03 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18615; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section length headers memory corruption attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"STSH"; byte_test:2,>,32768,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27657; reference:cve,2007-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-011; classtype:attempted-user; sid:13466; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Timesffffffffff|01 10 12|fffff ffffffffffff|02 00 FF|fffff fffffffffffff|03 10 15|fffffffffffffffffffff|04 10 13|fffffffffffffffffffffffffffffffffffffffffffff|29 06 10 18|ffffffffffffffffffffffff|07 10 16|ffffffffffffffffffffff|08 10 1C|ffffffffffffffffffffffffffff|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:15526; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9",distance 0; content:"|0A 24|",distance 0; isdataat:92,relative; content:!"|0A|",within 92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:24186; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24351; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24352; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listtable{"; content:"|5C|listid2147483647}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24353; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listid2147483647}"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24354; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24357; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24358; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout",nocase; content:"|5C|dppolycount",within 50,nocase; byte_test:5,>,50,0,string,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1902; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17123; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|emfblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17120; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|pngblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17121; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|jpegblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17122; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18680; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18706; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolycount",nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:15106; rev:12; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18705; rev:9; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18704; rev:11; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18703; rev:9; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18702; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF parsing memory corruption"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpline |5C|dpline |5C|dpline |5C|dpline"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-026; classtype:attempted-user; sid:17743; rev:12; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; pcre:"/\x5cdpcallout\s*\x5cdpcallout\s*\x5cdpcallout/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15082; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"4E087DEB",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21902; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8B8DDA58",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21903; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"0036D8F4",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21904; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"B13CC16A",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21905; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8E7EE1E6",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21906; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office rtf document generic exploit indicator"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"%USERPROFILE%|5C|"; pcre:"/\x25USERPROFILE\x25\x5C[^\x2e]{1,255}\x2eexe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21907; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"A3E81207",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21937; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"D0CF11E0"; content:"436F626A",distance 0,nocase; byte_test:8,=,0x64000000,0,relative,little,string,hex; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:23305; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice RTF File parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"rtf",nocase; content:"|5C|prtdata",distance 0,nocase; isdataat:200,relative; content:!"|0A|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24450; reference:cve,2007-0245; classtype:attempted-user; sid:17403; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_client,established; flowbits:set,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2550; classtype:attempted-user; sid:24587; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_server,established; flowbits:set,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2550; classtype:attempted-user; sid:24588; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:24823; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:24868; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; content:!"|5C|listoverridecount0"; content:!"|5C|listoverridecount1"; content:!"|5C|listoverridecount9"; content:!"|5C|listoverridecount|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; classtype:attempted-user; sid:24974; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; content:!"|5C|listoverridecount0"; content:!"|5C|listoverridecount1"; content:!"|5C|listoverridecount9"; content:!"|5C|listoverridecount|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; classtype:attempted-user; sid:24975; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25293; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25294; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25295; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25296; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:25311; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pfragments|00 CC 7D 7B 7B 5C 2A 5C 2A 7D 5C 73 76 7B 7D 7B 5C 69 6E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:25393; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:25587; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:25630; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:25631; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:25768; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft OLE automation string manipulation overflow attempt"; flow:to_client,established; file_data; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25282; reference:cve,2007-2224; classtype:attempted-user; sid:17421; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_server,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:26089; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_client,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|",depth 16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26170; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_server,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|",depth 16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26171; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26174; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|",distance 0; byte_test:2,<,8,0,relative,little; content:"|51 08|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26175; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|09 08 10 00 00 06|",distance 0; content:"|1E 04|",distance 0,fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:26329; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|",within master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:26330; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any ( msg:"FILE-OFFICE OpenOffice OLE File Stream Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|",nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:26453; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:2,>,32767,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:26597; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:26602; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio XML parameter entity reference local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<!ENTITY",nocase; content:"SYSTEM",within 25,nocase; content:"file:///",within 25,fast_pattern,nocase; content:"<!ENTITY",distance 0,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21ENTITY\s+?\x25\s+?(?P<local>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?file:\x2f\x2f\x2f.*?[\x22\x27]\s*?<\x21ENTITY\s+?(\x25|&#37\x3b)[^>]+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^>]+?\x25(?P=local)\x3b/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26626; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"<!DOCTYPE",nocase; content:"svg",within 25,nocase; content:"<!ENTITY",within 25,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21DOCTYPE\s+?svg\s+?\[\s*?<\x21ENTITY\s+?\x25\s+?(?P<remote>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26627; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_server,established; flowbits:isset,file.svg; file_data; content:"<!DOCTYPE",nocase; content:"svg",within 25,nocase; content:"<!ENTITY",within 25,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21DOCTYPE\s+?svg\s+?\[\s*?<\x21ENTITY\s+?\x25\s+?(?P<remote>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26628; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:26663; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26672; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|",within 12,distance 23; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26673; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26674; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|",distance 0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy balanced-ips alert,policy security-ips alert,service smtp; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:26676; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26706; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26707; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26708; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26709; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26710; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Excel malformed ftCMO record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 10 00|"; content:"|15 00 12 00 08 00|",distance 0,fast_pattern; content:"|5D 00|",within 2,distance -10; byte_test:2,>,0,0,little,relative; content:!"|EC 00|",within 2049,distance -2049; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-009; classtype:attempted-user; sid:26711; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_client,established; file_data; content:"MSComctlLib.Toolbar.2"; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; classtype:misc-activity; sid:26830; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_server,established; file_data; content:"MSComctlLib.Toolbar.2"; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,service smtp; classtype:misc-activity; sid:26831; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26832; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_server,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26833; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-3.1 EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:4,>,65535,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27089; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:4,>,65535,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27090; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint schemes record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|B2 B2 B2 B2 B2 B2 01 80 2C 01 5F 16 05 00 FF 7F 00 00 FF 00 00 00 00 00 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0226; classtype:attempted-user; sid:27215; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint printer record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|4E 6F 6E 65 00 44 72 69 76 65 72 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0227; classtype:attempted-user; sid:27216; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows download of .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:17442; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Visual Studio VAP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.vap; file_data; content:"|22|projectname|22| = |22|",nocase; content:!"|22|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22032; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23152; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23153; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23154; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23155; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1429; classtype:attempted-user; sid:23318; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1420; classtype:attempted-user; sid:23323; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1424; classtype:attempted-user; sid:23326; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1422; classtype:attempted-user; sid:23328; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1421; classtype:attempted-user; sid:23329; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"[aliases]",depth 9,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1419; classtype:attempted-user; sid:23351; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1430; classtype:attempted-user; sid:23357; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 00 00 01 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:23566; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_server,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:23578; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17807; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|",within 20,distance 192; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17806; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:23371; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave tSAC pointer overwrite attempt"; flow:to_client,established; flowbits:isset, file.dir; file_data; content:"tSAC<|04 00 00 00 04 00 00 04|2|0B 00 00 01 00 00 00 14 0C 0C 0C 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3464; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16223; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave director file malformed lcsr block memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"p|00 00 00 01 00 00 00 A8 FF FB|m|10|http|3A|//www."; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3466; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16220; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM"; byte_test:4,>,4211081214,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17200; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 00 01 00 04 00 00 40 05 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17181; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 40 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17180; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,36,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17202; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; byte_test:1,>,127,76,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2867; classtype:attempted-user; sid:17203; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|52 02 4C 00 61 46 43 01 57 C9 41 01 06 52 43 4C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17189; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E|"; content:"|0A 08 19 1E 1C 1E 1F 1E 44 00 43 01 57 6E A1 9C|",within 16,distance 512; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17188; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|8F 41 01 45 C2 AE 00 FF 45 B0 41 24 43 46 1F 42|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17187; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00|"; content:"|01 17 00 C0 FF FF 00 00 00 C1 00 00 01 84 00 00|",within 16,distance 84; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17186; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E 00 00 05 0E 00 5C 00 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17185; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 00 00 00 00 06 00 00 00 45 00 00|",within 16,distance 28; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17184; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 16 00 00 00 00 00 00 00 00 00 00 00 45 00 00|",within 16,distance 24; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17183; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 16 00 00 00 00 00 00 00 3F 00 00|",within 16,distance 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17182; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file pamm record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"pamm"; byte_test:4,>,4294967118,20,relative; content:!"|FF FF FF FF|",within 4,distance 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17179; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file mmap overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"RIFX",depth 4; content:"mmap"; byte_test:4,>,32768,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2870; classtype:attempted-user; sid:17204; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|",within 4,distance 203; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17803; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|",within 4,distance -24; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"EyeL|04 00 00 00 01 00 00 00 42 00 00 00 70 00 00 00 99 00 00 00 56 55 55 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2871; classtype:attempted-user; sid:17190; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"39VMpami|18 00 00 00 01 41 41 41 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2872; classtype:attempted-user; sid:17191; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2873; classtype:attempted-user; sid:17192; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"muhT|9B 00 00 00 00 04 00 00|FCRD|A8 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2874; classtype:attempted-user; sid:17193; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC tag exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|shockwave3d|00 00 01|P3DPR|00 00 01|P|00 00 00 06 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42668; reference:cve,2010-2875; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17194; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|01 36 01 00 00 00 80 80 00 00 00 15 00 00 00 03 00 00 00 27 00 00 00 24 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 06 00 01 00 00 00 0F E1 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2877; classtype:attempted-user; sid:17196; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|6D 9E 54 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 01 1A 3A 36 23 16 3A 37 0C 29 47 72 65 67 20 42 61 72 6E 65 74 74 00 80 80 00 04 74 65 78 74 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2878; classtype:attempted-user; sid:17198; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|32 02 30 82 02 31 30 02 38 38 02 30 82 02 31 30 02 38 38 03 30 30 30 41 30 30 30 30 30 30 31 33 00 00 30 30 30 30 30 32 02 30 82 02 31 30 02 38|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2879; classtype:attempted-user; sid:17197; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"|4A 46 49 46|",within 4,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21629; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1430; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21630; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"this.toString = function|28|",nocase; content:"java.lang.System.setSecurityManager|28|null|29|",distance 0,nocase; content:"return String.fromCharCode|28|97",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:url,osvdb.org/show/osvdb/76500; classtype:attempted-user; sid:21057; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java JRE sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"AtomicReferenceArray"; content:"localAtomicReferenceArray = (AtomicReferenceArray)arrayofObject",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21869; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption"; flow:to_client,established; flowbits:isset,file.dmg; file_data; content:"|00 00 00 00 4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:18463; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows chm file malware related exploit"; flow:to_client,established; flowbits:isset,file.chm; file_data; content:"|78 07 2F 6D 79 2E 68 74 6D 01 84 A0 00 81 5C 0C 2F 73 65 72 76 69 63 65 2E 65 78 65 01 00 84 A0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/508508b8105d7d9b5289813b385f9be233d76e09a2ad3c647e8dc5078db8eff1/analysis/; classtype:trojan-activity; sid:21489; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 73 00 04 00 AD FE FF FF FE 01 00 00 2F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19219; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows embedded OpenType EOT font integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|52 E7 0D 2C 32 3E 1D FC BE E2 B2 A1 E9 94 6A 46 57 35 B4 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43775; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-user; sid:19308; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 00 42 00 55 00 47 00 0A 00 A7 FE FF FF DA 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19220; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows .NET Framework XAML browser applications stack corruption"; flow:to_client,established; flowbits:isset,file.manifest; file_data; content:"|2F 00 59 00 41 01 6B 00 61 00 41 01 6B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47223; reference:cve,2010-3958; classtype:attempted-user; sid:19170; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|AA FF FF FF FF 00 00 00 20 00 00 00 03 00 00 00 21 00 00 00 7E 00 00 00 04 00 00 00 A0 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:18952; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17735; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Key Strings Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"Magenta",nocase; content:"|41 41 41 41 41|",within 5,distance 241; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,31999; reference:cve,2007-6432; classtype:attempted-admin; sid:17650; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20776; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos executable attempt"; flow:to_client,established; file_data; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18406; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos attempt"; flow:to_server,established; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18407; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt"; flow:to_client,established; file_data; content:"|04 FB 61 0C 03 F1 0C 04 8C 8B 8B 8C 8B 8B 0C 07 1C F7 E9 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:18644; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|64 A2 F7 60 A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:18402; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Data Access Components library attempt"; flow:to_client,established; file_data; content:"|33 C0 66 89 45 F4 6A FD 8D 85 BC FF FE FF 50 6A FD 8D 8D D8 FF FE FF 51 6A FD 8D 95 F4 FF FE FF 52 8B 85 A4 FF FE FF 50 E8 9B FB FF FF 33 C0 52 8B CD 50 8D 15 14 15 41 00 E8 9E FB FF FF 58 5A 5F 5E 5B 8B 4D FC 33 CD E8 12 FB|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18276; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|4B 47 2D D7 6B CF 87 5D CF DB F3 1E FE 9F 9F 5F F4 A3 30 49 BC A4 DB 9E B3 C3 7B ED B9 C5 28 6E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18953; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|CB 5D 91 76 A2 A3 23 D7 EF 15 F9 A8 E3 7A DD A5 78 21 08 0E FE 17 FF 2F 2D AD 84 49 9C 65 41 B6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18954; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:17374; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Project Invalid Memory Pointer Code Execution attempt"; flow:to_client,established; file_data; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28607; reference:cve,2008-1088; classtype:attempted-user; sid:17382; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenOffice.org XPM file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */",fast_pattern; content:"static char *",distance 0; pcre:"/^[^\x22]+\x22(\d+\x20+){2}/R"; byte_test:10,>,419062,0,relative,string; byte_test:10,>,10244,1,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38218; reference:cve,2009-2949; classtype:attempted-user; sid:18537; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"xsl|3A|stylesheet",fast_pattern,nocase; content:"crypto|3A|rc4_",nocase; pcre:"/^(encrypt|decrypt)\x28\x27[^\x27]{129}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14039; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Video Spirit visprj buffer overflow"; flow:established,to_client; flowbits:isset,file.visprj; file_data; content:"valitem",nocase; pcre:"/<\s*valitem[^>]*\s(value|name)\s*=\s*([\x22\x27])[^\x22\x27]{104}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0499; classtype:attempted-user; sid:20889; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 12 00 01 00 01 00 00 00 01 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15693; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"P|3B|"; pcre:"/(^P\x3B[^\x3B]*\x0D\x0A){200}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,48161; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19911; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ACD Systems ACDSee Products XBM file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"|23|define"; content:"|5F|width",distance 0; pcre:"/\x23define\s*(?=[\S]{57})\S*\x5Fwidth/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37685; reference:url,osvdb.org/show/osvdb/63643; classtype:attempted-user; sid:17238; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|pathl",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|name",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"8|3A|announce",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"7|3A|comment",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hpj; file_data; content:"[OPTIONS]"; content:"HLP",distance 0,nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22135; reference:cve,2007-0427; classtype:attempted-user; sid:17366; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24272; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,36,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24273; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24277; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24278; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24279; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|",within 20,distance 192; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24280; rev:2; )
-alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"FILE-OTHER Microsoft LNK shortcut arbitary dll load attempt"; flow:to_client,established; content:"|FF|SMB",depth 4,offset 4; content:"|00 00 00 00|",within 4,distance 1; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:19290; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:17042; rev:9; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:24500; rev:2; )
-alert tcp $HOME_NET 445 -> $HOME_NET any ( msg:"FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt"; flow:to_client,established; content:"i|00|b|00|f|00|s|00|3|00|2|00|.|00|d|00|l|00|l|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2010-3150; reference:url,osvdb.org/show/osvdb/67554; classtype:attempted-user; sid:18530; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|",distance 0; content:"|00 02|",within 2,distance 4; content:"|FF FF 00 00 00 00|",within 6,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24649; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|",distance 0; content:"|00 02|",within 2,distance 4; content:"|FF FF 00 00 00 00|",within 6,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24650; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2030; classtype:denial-of-service; sid:24702; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2030; classtype:denial-of-service; sid:24703; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>|0A|",depth 30,offset 15; content:"<SymbolicSchematicData>|0A|",distance 0; content:"<Symbol>",distance 0; content:"<Value>",distance 0; isdataat:96,relative; content:!"</Value>",within 96; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2012-2915; classtype:attempted-user; sid:25247; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>|0A|",depth 30,offset 15; content:"<SymbolicSchematicData>|0A|",distance 0; content:"<Symbol>",distance 0; content:"<Value>",distance 0; isdataat:96,relative; content:!"</Value>",within 96; metadata:policy balanced-ips drop,service smtp; reference:cve,2012-2915; classtype:attempted-user; sid:25248; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; file_data; http_header; content:"Content-Length|3A|"; pcre:"/^Content-Length\x3a\s*0*([1-9][0-9]{8}|[7-9][0-9]{8})/mi"; pkt_data; content:"<?xml ",depth 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25270; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER MSXML dynamic pointer casting arbitrary code execution attempt"; flow:to_client,established; file_data; content:"//doesnotexist[position|28 29| != 3]"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25275; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Cisco WebEx player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|FF 7F 25 00 88 03 8C 02 CC 7C 01 00 00 00 00 00 FD 7E 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4004; classtype:attempted-user; sid:25341; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Csound hetro audio file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csd; file_data; content:"|81 C4 54 F2 FF FF|"; content:"|46 54 95 6E|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0270; classtype:attempted-user; sid:25607; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Csound hetro audio file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csd; file_data; content:"|81 C4 54 F2 FF FF|"; content:"|46 54 95 6E|"; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:cve,2012-0270; classtype:attempted-user; sid:25608; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_server,established; file_data; content:"|7F|ELF",depth 4; content:"|4A 46 49 46|",within 4,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:25633; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:" EMF",within 4,distance 36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|",within 12,distance -8; content:"F|00 00 00|",distance 0; content:"|08|@|00 06|",within 4,distance 12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"rcsL",nocase; byte_test:1,>,127,76,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2867; classtype:attempted-user; sid:26027; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|",within 4,distance 203; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:26028; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-2873; classtype:attempted-user; sid:26029; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Known malicious jar archive download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ImAlpha$MyColorSpace.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58238; reference:cve,2013-1493; classtype:attempted-admin; sid:26030; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|E5 05 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39 00 00 00 01 00 70 F2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:17633; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt"; flow:to_server,established; http_uri; content:"ibfs32.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3150; reference:url,osvdb.org/show/osvdb/67554; classtype:attempted-user; sid:18529; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Wireshark DECT packet dissector overflow attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1 02 00 04 00|",depth 8; byte_test:4,>,1499,36,little; content:"|FF FF FF FF FF FF 00 00 00 00 00 00 23 23|",depth 14,offset 40,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47392; reference:cve,2011-1591; reference:url,osvdb.org/show/osvdb/71848; classtype:attempted-user; sid:20431; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|",distance 0; isdataat:256,relative; content:!"|22|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; file_data; content:"OrbitalFileV1.0|0D 0A|",nocase; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|",depth 12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit"; flow:to_client,established; http_header; content:"application/java-deployment-toolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16550; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin"; flow:to_client,established; http_header; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16549; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"ServerSize=",distance 0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"HostSize=",distance 0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon unicode OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C 00|o|00|p|00|m|00|l|00|",nocase; content:"|3C 00|o|00|u|00|t|00|l|00|i|00|n|00|e|00|",distance 0,nocase; pcre:"/[^\x3E]*?t\x00e\x00x\x00t\x00(\s\x00)*\x3D\x00(\s\x00)*(\x27\x00(?!(..){0,500}\x27\x00)|\x22\x00(?!(..){0,500}\x22\x00)|(?!(..){0,500}\s\x00))/isOR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17105; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml",nocase; content:"|3C|outline",distance 0,nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]",depth 9; content:"INDEX 1=",distance 0; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version",depth 41; content:"cell[0].images[0].image=",distance 0; isdataat:512,relative; content:!"|0A|",within 512; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|",depth 22; content:"Computer=",distance 0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV antivirus CHM file handling DOS"; flow:to_client,established; file_data; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|",within 16,distance 36; content:"ITSP",distance 0; byte_test:4,<,8,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30994; reference:cve,2008-1389; reference:url,sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661; classtype:attempted-dos; sid:17602; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV libclamav PE file handling integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; isdataat:288,relative; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|",within 20,distance 288; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0318; classtype:attempted-user; sid:17305; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16731; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 47 3E 34 CB 58 A7 A2 F5 3F D0 B9 1B CA 20 05 7E 6D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26648; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 43 FF F1 02 3B 02 D8 00 25 00 00 01 32 35 34 26 23 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26649; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27166; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27167; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.hlp; file_data; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27168; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19648; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19647; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19646; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_client,established; file_data; content:"EmbeddedFile",nocase; content:"3C7064663E",distance 0,nocase; content:"3C2F7064663E",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/Launch",within 100,fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP colors used integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream",nocase; content:"BM",within 20; content:"|00 00 00 00|",within 4,distance 4; content:"|28 00 00 00|",within 4,distance 4; byte_test:4,>,0x1FFFFFFF,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20921; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jp2c|FF 4F|"; content:"|FF 5E 00|",distance 0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:18801; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17214; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17215; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader icc mluc interger overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43729; reference:cve,2010-3622; classtype:attempted-user; sid:18308; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader invalid PDF JavaScript extension call"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"printSeps"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-4091; reference:url,www.adobe.com/support/security/bulletins/apsb10-28.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-admin; sid:18102; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader PDF subroutine pointer attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|90 90 90 E8 00 00 00 00 5B 90 66 C7 03 EB FE|"; content:"RICN"; content:"AR07",within 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-5857; classtype:attempted-user; sid:21765; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader doc.export arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".export",nocase; pcre:"/\x2eexport(AsFDF|AsText|AsXFDF|DataObject|XFAData)\x28[^\x2c\x29]*\x2c[^\x2c\x29]*\x2c[^\x29]+\x2eexe/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2993; classtype:attempted-user; sid:16324; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"qwe123",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:21583; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf - new pdf exploit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"NEW PDF EXPLOIT"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21431; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_client, established; flowbits:isset, file.pdf; file_data; content:"%PDF-1."; content:"=new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; classtype:attempted-user; sid:21429; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; classtype:trojan-activity; sid:21417; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2994; classtype:attempted-user; sid:16325; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader U3D rgba parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 72 67 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18457; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 00 00 00 28 00 00 00 AB AA AA 0A 40 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20171; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 0B 00 00 12 0B 00 00 00 01 00 00 00 01 00 00 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20170; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 00 00 C4 0E 00 00 00 40 00 00 00 00 00 00 58 58 58 58 58|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20169; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 01 41 41 41 01 41 41 41 01|",within 10,distance 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2435; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20148; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 E0 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2434; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20147; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 10 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2433; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20145; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader ICC ProfileDescriptionTag overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CE 00 07 00 09 00 12 00 04 00 33 64 65 73 63 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2097; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19255; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed U3D texture continuation integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C FF FF FF 0C 00 00 00 00 00 00 00 08 00 54 65 78 74 75|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2096; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19248; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|",within 48,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:18585; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17472; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17471; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF BitDefender Antivirus PDF processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|",depth 16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|",within 40,distance 8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|",within 45,distance 22; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32396; reference:cve,2008-5409; classtype:attempted-user; sid:17430; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:16490; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Foxit Reader createDataObject file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createDataObject",nocase; pcre:"/^\s*\x5C?\x28\s*[\x22\x27][a-z]\x3A[\x2F\x5C]/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/71104; reference:url,scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html; classtype:attempted-user; sid:21254; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript submitform memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; pcre:"/submitForm\s*\x28[^\x3b]+cURL\s*\x3a\s*[\x22\x27]\s*url\s*\x3a\s*(?!https?)[^\x27\x22\x23]*?\x23/ims"; isdataat:50; content:!"bGet",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4371; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20998; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshDeceleration code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"|31 FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,200,12,relative,little; content:"|3C FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,200,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3953; classtype:attempted-user; sid:20429; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader oversized object width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/width",nocase; byte_test:7,>,1000000,1,relative,string; content:"/DCTDecode",distance 0,nocase; pcre:"/\x2fwidth[^\x3e]+\x2fDCTDecode/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2980; classtype:attempted-user; sid:16322; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshContinuation code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"1|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,16777216,12,relative,little; content:"<|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,16777215,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36665; reference:cve,2009-2990; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:16373; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader File containing Flash use-after-free attack attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16633; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader sandbox disable attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 84 05 8D 81 80 08 FF E3 A1 87 05 EA 88 A8 83 05 DE 8B B6 04 EA 80 80 08 D6 8B B6 04 99 D0 81 D0 06 EA 80 08 EA 80 A8 03 81 8A B6 04 D0 80 80|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1353; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20162; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader javascript in PDF go-to actions exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /GoToR"; content:"/F |28|javascript:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2101; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19254; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader shell metacharacter code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"begin|20|",depth 6; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18527; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|",distance 0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|",within 4; byte_test:1,>,16,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35274; reference:bugtraq,35289; reference:cve,2009-1859; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:15562; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; content:"setTimeout|28 22|doSpray|28 29 22|,2500|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16323; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.removeStateModel denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|x00|5C|x00|5C|x00|5C|x00",nocase; content:"Collab.removeStateModel",nocase; pcre:"/var\s*(\w+)\s*\x3D\s*\x22\x5Cx00\x5Cx00\x5Cx00\x5Cx00.*\x22.*Collab\x2EremoveStateModel\s*\x28\s*\1.*\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2988; classtype:attempted-user; sid:16175; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.addStateModel remote corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.addStateModel",nocase; content:"cname",nocase; content:"00",within 15,distance 2,nocase; pcre:"/Collab\x2EaddStateModel\s*\x28\s*\x7B.*cName\s*\x3A\s*\x22(\x22|\x5Cx00)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2996; classtype:attempted-user; sid:16176; rev:9; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader CoolType.dll remote memory corruption denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C C5 97 4D 4B C4 30 10 86 EF 85 FE 87 39 26 87 CD 26 33|"; content:"|AC 6D EE D5 DD 46 CF 88 D4 87 76 9D 7A D7 B3 A0 40 63 A7 6E F4 2C AA 27 8D A4 5E 35 59 B5 9B E3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,41130; reference:cve,2010-2204; classtype:attempted-dos; sid:16801; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible Adobe Reader ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:11; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader BMP color unused corruption"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6D 70 29 3E 3E 0A 65 6E 64 6F 62 6A 0A 32 30 20 30 20 6F 62 6A 0A 3C 3C 2F 53 75 62 74 79 70 65 2F 69 6D 61 67 65 23 32 66 62 6D 70 3E 3E 73 74 72 65 61 6D 0A 42 4D 80 07 00 00 00 00 00 00 76 00 00 00 28 00 00 00 01 00 00 00 01 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4372; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20919; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D file include overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CDF1048AB8979121691236CBF4378433"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2094; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19250; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F|Subtype|2F|U3D|2F|Length",nocase; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2|"; content:"|95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|",within 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35282; reference:cve,2009-1855; classtype:attempted-user; sid:17526; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:17288; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat XML entity escape attempt"; flow:to_client,established; file_data; content:"<|21|ENTITY",nocase; content:"SYSTEM",within 50,nocase; content:"http|3A 2F 2F|",within 50,nocase; content:"http|3A 2F 2F|",within 500,nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F[^>\s]+http\x3A\x2F\x2F/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0604; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18456; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader malicious language.engtesselate.ln file download attempt"; flow:to_client,established; flowbits:isset,file.engtesselate; file_data; content:"2="; isdataat:255,relative; content:!"|0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2095; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19253; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|k|01 00 00|k|01 00 00 D5 02 00 00 BF 85|]K|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2998; classtype:attempted-user; sid:16173; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation off by one index attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 08 00 00 00|ABCD"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3458; classtype:attempted-user; sid:16174; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D line set heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"7|FF FF FF|h|00 00 00 00 00 00 00 06 00|Box_92|00 00 00 00 00 00 00 00 04 05 00 00| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2997; classtype:attempted-user; sid:16172; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:17233; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|",within 48,distance 316; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:16664; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader shell metacharacter code execution attempt"; flow:to_server,established; flowbits:isset,smtp.contenttype.attachment; content:"begin|20|"; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18526; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader/Acrobat Pro CFF font parsing heap overflow attempt"; flow:to_client,established; file_data; content:"6SC.Pseudo.Font.1|00 00 01 01 87|T|01 01 FF|T|00|V|02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1241; classtype:attempted-user; sid:16546; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious PDF detection - qweqwe="; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"><qwe qweqwe="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:22941; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20100829161936"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23043; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20120421195855"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23044; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - Title"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Title (0aktEPbG1LcQ9f6d8l32m7gI5eY4)>>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23045; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown Malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Creator(sli)/ModDate(D:20080817171147-07|27|00|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23140; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:23263; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23502; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23503; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:23506; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:23507; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader File containing Flash use-after-free attack attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23510; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_server,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|",within 48,distance 316; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23511; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23512; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23513; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23514; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23515; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/Launch",within 100,fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23516; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23517; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23518; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0188; classtype:attempted-user; sid:23521; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23523; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23524; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1525; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23611; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23612; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",depth 7; content:"<</Creator(",distance 0,nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23851; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",depth 7; content:"<</Creator(",distance 0,nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:23852; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23868; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader invalid inline image attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23869; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23874; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23875; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; content:"|14 FF FF FF|"; content:"|55 FF FF FF|",distance 0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|",within 4,distance 4; byte_test:2,>,0x260,4,relative,little; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23879; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; content:"|14 FF FF FF|"; content:"|55 FF FF FF|",distance 0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|",within 4,distance 4; byte_test:2,>,0x260,4,relative,little; metadata:policy balanced-ips alert,policy security-ips drop,service smtp; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23880; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|",nocase; content:"/Subtype/RichMedia",distance 0,nocase; content:"getAnnotsRichMedia|28|"; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4147; classtype:attempted-dos; sid:23881; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|",nocase; content:"/Subtype/RichMedia",distance 0,nocase; content:"getAnnotsRichMedia|28|"; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4147; classtype:attempted-dos; sid:23882; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23889; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23890; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23891; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23892; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|",within 1000; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0195; reference:url,www.cups.org/str.php?L3129; classtype:attempted-user; sid:17641; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_client,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24148; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_server,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24149; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24152; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24153; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate("; isdataat:500,relative; content:")>>",distance 0; pcre:"/\/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:misc-activity; sid:24263; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_server,established; flowbits:isset,file.pdf; content:"/CreationDate("; isdataat:500,relative; content:")>>",distance 0; pcre:"/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; classtype:misc-activity; sid:24264; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24625; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24626; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Filter",nocase; content:"/Standard",within 15,fast_pattern,nocase; content:"/Length",within 15,nocase; byte_test:10,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24763; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Filter",nocase; content:"/Standard",within 15,fast_pattern,nocase; content:"/Length",within 15,nocase; byte_test:10,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24764; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf",distance 0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2013-0604; classtype:attempted-user; sid:25461; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf",distance 0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop,service smtp; reference:cve,2013-0604; classtype:attempted-user; sid:25463; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25467; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25469; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:25475; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|",distance 0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|",within 4; byte_test:1,>,16,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35274; reference:bugtraq,35289; reference:cve,2009-1859; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:25767; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader known malicious variable exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction "; content:"/JS ",within 100; content:"ROP_ADD_ESP_4 = "; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,osvdb.org/show/osvdb/90169; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25818; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader known malicious variable exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction "; content:"/JS ",within 100; content:"|5C|n",within 10; content:"|3B 5C|n",within 30,fast_pattern; content:"|5C|n",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,osvdb.org/show/osvdb/90169; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25819; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader XML Java used in app.setTimeOut"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.setTimeOut"; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:26021; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_server,established; file_data; content:"EmbeddedFile",nocase; content:"3C7064663E",distance 0,nocase; content:"3C2F7064663E",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26079; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|",within 48,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26113; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF version 1.1 with FlateDecode embedded - seen in exploit kits"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.1"; content:"/FlateDecode",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26231; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)",fast_pattern; content:"RegEx",within 100,distance -100; pcre:"/^p?\s*\x5c\([^\x3b]*?\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)/Rims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2550; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26650; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26651; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26652; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/La",within 100,nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26661; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/La",within 100,nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26662; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader dll injection sandbox escape"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 6F 05 00 00 68 01 00 00 80 89 54 24 40 FF 54 24 4C 83 EC 0C 68 E0 01 00 00 8D 44 24 68 50 6A 00 6A 00 68 A9 05 00 00 FF B4 24 78 10 00 00 FF 54 24 50 68 C5 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2730; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26694; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Flash Player FLV file download request"; flow:to_server,established; http_uri; content:".flv"; pcre:"/\x2eflv([\?\x5c\x2f]|$)/msi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:20544; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CDR file download request"; flow:to_server,established; http_uri; content:".cdr"; pcre:"/\x2ecdr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cdr; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20588; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4,fast_pattern; content:"CDR",within 3,distance 4; flowbits:set,file.cdr; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20589; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; http_uri; content:".jar"; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jar; flowbits:noalert; service:http; classtype:misc-activity; sid:20621; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Media Player asf/wmv/wma file magic detected"; flow:to_client,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE 4C F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|",within 16,distance 8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:12972; rev:13; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_client,established; content:".xls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exls[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20792; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_server,established; content:".xls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exls[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20793; rev:8; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_client,established; content:".doc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edoc[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20795; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_server,established; content:".doc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edoc[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20796; rev:7; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".swf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eswf[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20798; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".swf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eswf[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20799; rev:8; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_client,established; content:".vsd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evsd[\x22\x27\s]/si"; flowbits:set,file.visio; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20854; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_server,established; content:".vsd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evsd[\x22\x27\s]/si"; flowbits:set,file.visio; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20855; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Video Spirit visprj download attempt"; flow:to_server,established; http_uri; content:".visprj",nocase; pcre:"/\x2evisprj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visprj; flowbits:noalert; service:http; classtype:misc-activity; sid:20888; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_client,established; content:".visprj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evisprj[\x22\x27\s]/si"; flowbits:set,file.visprj; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20893; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_server,established; content:".visprj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evisprj[\x22\x27\s]/si"; flowbits:set,file.visprj; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20894; rev:7; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_client,established; content:".xpm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2expm[\x22\x27\s]/si"; flowbits:set,file.xpm; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20905; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_server,established; content:".xpm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2expm[\x22\x27\s]/si"; flowbits:set,file.xpm; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20906; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_client,established; content:".dxf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edxf[\x22\x27\s]/si"; flowbits:set,file.dxf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20907; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_server,established; content:".dxf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edxf[\x22\x27\s]/si"; flowbits:set,file.dxf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20908; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_client,established; content:".asf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easf[\x22\x27\s]/si"; flowbits:set,file.asf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20909; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_server,established; content:".asf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easf[\x22\x27\s]/si"; flowbits:set,file.asf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20910; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_client,established; content:".eps"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeps[\x22\x27\s]/si"; flowbits:set,file.eps; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20911; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_server,established; content:".eps"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeps[\x22\x27\s]/si"; flowbits:set,file.eps; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20912; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_client,established; content:".xspf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exspf[\x22\x27\s]/si"; flowbits:set,file.xspf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20913; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_server,established; content:".xspf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exspf[\x22\x27\s]/si"; flowbits:set,file.xspf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20914; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_client,established; file_data; content:"[playlist]",depth 11; flowbits:set,file.pls; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20924; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_client,established; content:".pmd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epmd[\x22\x27\s]/si"; flowbits:set,file.pmd; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20925; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_server,established; content:".pmd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epmd[\x22\x27\s]/si"; flowbits:set,file.pmd; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20926; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"<smil>",depth 6; flowbits:set,file.smil; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:20928; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_client,established; content:".qcp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eqcp[\x22\x27\s]/si"; flowbits:set,file.qcp; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20935; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_server,established; content:".qcp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eqcp[\x22\x27\s]/si"; flowbits:set,file.qcp; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20936; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4v"; pcre:"/\x2ef4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20937; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4p"; pcre:"/\x2ef4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20938; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4a"; pcre:"/\x2ef4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20939; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4b"; pcre:"/\x2ef4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20940; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4v"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4v[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20941; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4v"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4v[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20942; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4p"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4p[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20943; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4p"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4p[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20944; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4a"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4a[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20945; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4a"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4a[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20946; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4b"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4b[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20947; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4b"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4b[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20948; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moof",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20950; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mfra",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20951; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"skip",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20952; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"junk",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20953; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"wide",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20954; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pnot",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20955; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pict",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20956; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meta",depth 4,offset 4; content:"hdlr",distance 0; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20957; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meco",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20958; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"uuid",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20959; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TTE file download request"; flow:to_server,established; http_uri; content:".tte"; pcre:"/\x2ette([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20961; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OTF file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20962; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; http_uri; content:".sami"; pcre:"/\x2esami([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpe"; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jif"; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jfi"; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".img"; pcre:"/\x2eimg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:20968; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4A file download request"; flow:to_server,established; http_uri; content:".m4a"; pcre:"/\x2em4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20969; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4P file download request"; flow:to_server,established; http_uri; content:".m4p"; pcre:"/\x2em4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20970; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4R file download request"; flow:to_server,established; http_uri; content:".m4r"; pcre:"/\x2em4r([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20971; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4V file magic request"; flow:to_server,established; http_uri; content:".m4v"; pcre:"/\x2em4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.m4v; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20972; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4B file download request"; flow:to_server,established; http_uri; content:".m4b"; pcre:"/\x2em4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20973; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3GP file download request"; flow:to_server,established; http_uri; content:".3gp"; pcre:"/\x2e3gp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20974; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3G2 file download request"; flow:to_server,established; http_uri; content:".3g2"; pcre:"/\x2e3g2([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20975; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY K3G file download request"; flow:to_server,established; http_uri; content:".k3g"; pcre:"/\x2ek3g([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20976; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SKM file download request"; flow:to_server,established; http_uri; content:".skm"; pcre:"/\x2eskm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; service:http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20977; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_client,established; content:".tte"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ette[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20978; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_server,established; content:".tte"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ette[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20979; rev:7; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20980; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_server,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20981; rev:7; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_client,established; content:".ppt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eppt[\x22\x27\s]/si"; flowbits:set,file.ppt; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:20982; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_server,established; content:".ppt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eppt[\x22\x27\s]/si"; flowbits:set,file.ppt; flowbits:noalert; service:smtp; classtype:misc-activity; sid:20983; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|"; content:"cmap",distance 0,fast_pattern; flowbits:set,file.ttf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20991; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_client,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:20992; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_client,established; file_data; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t"; flowbits:isset,file.ppt; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21011; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_client; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; flowbits:set,file.visio; flowbits:noalert; service:http; service:imap, pop3; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmd",nocase; pcre:"/\x2ewmd([\?\x5c\x2f]|$)/smi"; service:http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:policy-violation; sid:17546; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epdf[\x22\x27\s]/si"; flowbits:set,file.pdf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21035; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epdf[\x22\x27\s]/si"; flowbits:set,file.pdf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21036; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI LIST",within 8,distance 4; flowbits:set,file.avi.video; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21059; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21061; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21062; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG video stream file download request"; flow:to_server,established; http_uri; content:".mpeg"; pcre:"/\x2empeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; service:http; classtype:misc-activity; sid:21109; rev:6; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_client,established; content:".mpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2empeg[\x22\x27\s]/si"; flowbits:set,file.mpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21110; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_server,established; content:".mpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2empeg[\x22\x27\s]/si"; flowbits:set,file.mpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21111; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_client,established; file_data; content:"|57 4F 54 46|"; flowbits:set,file.wrf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21113; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY New Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ",depth 2; byte_jump:4,58,relative,little; content:"NE",within 2,distance -64; service:http; service:imap, pop3; reference:url,support.microsoft.com/kb/65122; classtype:misc-activity; sid:21244; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; http_uri; content:".xsl"; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; service:http; classtype:misc-activity; sid:21282; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exsl[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21283; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exsl[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21284; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; http_uri; content:".xslt"; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; service:http; classtype:misc-activity; sid:21285; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exslt[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21286; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exslt[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21287; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,fast_pattern,nocase; flowbits:set,file.xml; flowbits:noalert; service:http; classtype:misc-activity; sid:21288; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; http_uri; content:".paq8o"; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; service:http; classtype:misc-activity; sid:21410; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epaq8o[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21411; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epaq8o[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21412; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ITSP",within 112; flowbits:set,file.chm; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:3820; rev:17; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_client,established; content:".chm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2echm[\x22\x27\s]/si"; flowbits:set,file.chm; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21478; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_server,established; content:".chm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2echm[\x22\x27\s]/si"; flowbits:set,file.chm; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21479; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21480; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21498; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exml[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21499; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exml[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21500; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmz",nocase; pcre:"/\x2ewmz([\?\x5c\x2f]|$)/smi"; service:http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:misc-activity; sid:12278; rev:10; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epng[\x22\x27\s]/si"; flowbits:set,file.png; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21613; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epng[\x22\x27\s]/si"; flowbits:set,file.png; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21614; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_client,established; content:".wmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewmf[\x22\x27\s]/si"; flowbits:set,file.wmf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21615; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_server,established; content:".wmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewmf[\x22\x27\s]/si"; flowbits:set,file.wmf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21616; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"WAVE",within 4,distance 4; flowbits:set,file.wav; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21620; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI ",within 4,distance 4; flowbits:set,file.avi; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21621; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pct",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epct[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21648; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pct",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epct[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21649; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pict"; pcre:"/\x2epict([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; service:http; classtype:misc-activity; sid:21650; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pict",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epict[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21651; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pict",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epict[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21652; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_client,established; content:".pls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epls[\x22\x27\s]/si"; flowbits:set,file.pls; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21687; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_server,established; content:".pls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epls[\x22\x27\s]/si"; flowbits:set,file.pls; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21688; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_client,established; content:".smil"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmil[\x22\x27\s]/si"; flowbits:set,file.smil; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21691; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_server,established; content:".smil"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmil[\x22\x27\s]/si"; flowbits:set,file.smil; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21692; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmi[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21695; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmi[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21696; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esami[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21697; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esami[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21698; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_client,established; content:".xlw"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exlw[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21699; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_server,established; content:".xlw"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exlw[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21700; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_client,established; content:".fpx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2efpx[\x22\x27\s]/si"; flowbits:set,file.fpx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21701; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_server,established; content:".fpx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2efpx[\x22\x27\s]/si"; flowbits:set,file.fpx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21702; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_client,established; content:".4xm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2e4xm[\x22\x27\s]/si"; flowbits:set,file.4xm; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21703; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_server,established; content:".4xm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2e4xm[\x22\x27\s]/si"; flowbits:set,file.4xm; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21704; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; content:".torrent"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2etorrent[\x22\x27\s]/si"; flowbits:set,file.torrent; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21705; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_server,established; content:".torrent"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2etorrent[\x22\x27\s]/si"; flowbits:set,file.torrent; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21706; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFA file download request"; flow:to_server,established; http_uri; content:".pfa"; pcre:"/\x2epfa([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; service:http; classtype:misc-activity; sid:21711; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_client,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21712; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_client,established; content:".pfa"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfa[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21713; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_server,established; content:".pfa"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfa[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21714; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFB file download request"; flow:to_server,established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; service:http; classtype:misc-activity; sid:21715; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_client,established; content:".pfb"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfb[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21716; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_server,established; content:".pfb"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfb[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21717; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFM file download request"; flow:to_server,established; http_uri; content:".pfm"; pcre:"/\x2epfm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; service:http; classtype:misc-activity; sid:21718; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_client,established; content:".pfm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21719; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_server,established; content:".pfm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21720; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AFM file download request"; flow:to_server,established; http_uri; content:".afm"; pcre:"/\x2eafm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; service:http; classtype:misc-activity; sid:21721; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_client,established; content:".afm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eafm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21722; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_server,established; content:".afm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eafm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21723; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; http_uri; content:".ani"; pcre:"/\x2eani([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ani; flowbits:noalert; service:http; classtype:misc-activity; sid:21724; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eani[\x22\x27\s]/si"; flowbits:set,file.ani; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21725; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eani[\x22\x27\s]/si"; flowbits:set,file.ani; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21726; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; flowbits:set,file.ani; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21727; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21728; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21729; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21730; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21731; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epjpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21732; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epjpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21733; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpe[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21734; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpe[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21735; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejif[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21736; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejif[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21737; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejfif?[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21738; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejfif?[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21739; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21740; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21741; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_client,established; content:".eot"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeot[\x22\x27\s]/si"; flowbits:set,file.eot; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21742; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_server,established; content:".eot"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeot[\x22\x27\s]/si"; flowbits:set,file.eot; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21743; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21744; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21745; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ertf[\x22\x27\s]/si"; flowbits:set,file.rtf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21746; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ertf[\x22\x27\s]/si"; flowbits:set,file.rtf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21747; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY HPJ file download request"; flow:to_server,established; http_uri; content:".hpj"; pcre:"/\x2ehpj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.hpj; flowbits:noalert; service:http; classtype:misc-activity; sid:21748; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_client,established; content:".hpj"; content:"Content-Disposition: attachment|3b|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ehpj[\x22\x27\s]/si"; flowbits:set,file.hpj; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21749; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_server,established; content:".hpj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ehpj[\x22\x27\s]/si"; flowbits:set,file.hpj; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21750; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_client,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21751; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_client,established; content:".lnk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2elnk[\x22\x27\s]/si"; flowbits:set,file.lnk; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21854; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_server,established; content:".lnk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2elnk[\x22\x27\s]/si"; flowbits:set,file.lnk; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21855; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21856; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21857; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_client,established; content:".wrf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21861; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_server,established; content:".wrf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21862; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cov"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecov[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21865; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cov"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecov[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21866; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecpe[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21867; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecpe[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21868; rev:5; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_client,established; content:".gif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2egif[\x22\x27\s]/si"; flowbits:set,file.gif; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21872; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_server,established; content:".gif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2egif[\x22\x27\s]/si"; flowbits:set,file.gif; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21873; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_client,established; content:".pub"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epub[\x22\x27\s]/si"; flowbits:set,file.pub; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21884; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_server,established; content:".pub"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epub[\x22\x27\s]/si"; flowbits:set,file.pub; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21885; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.otf; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21886; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_server,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.otf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21887; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_client,established; content:".mswmm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2emswmm[\x22\x27\s]/si"; flowbits:set,file.mswmm; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21888; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_server,established; content:".mswmm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2emswmm[\x22\x27\s]/si"; flowbits:set,file.mswmm; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21889; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dcr"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edcr[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21890; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dcr"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edcr[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21891; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dir"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edir[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21892; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dir"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edir[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21893; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eexe[\x22\x27\s]/si"; flowbits:set,file.exe; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:21908; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eexe[\x22\x27\s]/si"; flowbits:set,file.exe; flowbits:noalert; service:smtp; classtype:misc-activity; sid:21909; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file magic detection"; flow:to_client,established; file_data; content:"OTTO",depth 4; flowbits:set,file.otf; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:21999; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25|"; content:"|68|",within 1,distance 4; content:"|E8|",within 1,distance 4; content:"|FF FF FF|",within 3,distance 1; content:"|30|",within 1,distance 6; service:http; service:imap, pop3; classtype:misc-activity; sid:22002; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file download request"; flow:to_server,established; http_uri; content:".vap"; pcre:"/\x2evap([\?\x5c\x2f]|$)/smi"; flowbits:set,file.vap; flowbits:noalert; service:http; classtype:misc-activity; sid:22025; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_client,established; content:".vap"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2evap\x22/i"; flowbits:set,file.vap; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:22026; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_server,established; content:".vap"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2evap\x22/i"; flowbits:set,file.vap; flowbits:noalert; service:smtp; classtype:misc-activity; sid:22027; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; flowbits:set,file.vap; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:22028; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file attachment detected"; flow:to_client,established; content:".m3u"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2em3u\x22/i"; flowbits:set,file.m3u; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:22971; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY m3u playlist file file attachment detected"; flow:to_server,established; content:".m3u"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2em3u[\x22\x27\s]/si"; flowbits:set,file.m3u; flowbits:noalert; service:smtp; classtype:misc-activity; sid:22972; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_client,established; content:".mp4"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp4\x22/i"; flowbits:set,file.mp4; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:22993; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_server,established; content:".mp4"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp4\x22/i"; flowbits:set,file.mp4; flowbits:noalert; service:smtp; classtype:misc-activity; sid:22994; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_client,established; file_data; content:"|00 09 00 00 03|",depth 6; flowbits:set,file.wmf; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:22999; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY download of RMF file - potentially malicious"; flow:established,to_client; file_data; content:"IREZ",depth 4; content:"MThd",distance 0; flowbits:set,file.rmf; metadata:policy security-ips drop; service:http, imap, pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:misc-activity; sid:17106; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Lotus 123 file attachment"; flow:to_server,established; content:".123"; content:"Content-Disposition|3A| attachment|3B|"; pcre:"/filename\s*=[^\n]*\.123/si"; metadata:policy security-ips drop; service:smtp; reference:bugtraq,26200; reference:bugtraq,27835; reference:cve,2007-4222; reference:cve,2007-6593; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21285600; reference:url,www.coresecurity.com/index.php5?action=item&id=2008; classtype:suspicious-filename-detect; sid:12807; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPG video stream file download request"; flow:to_server,established; http_uri; content:".mpg",nocase; pcre:"/\x2empg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; service:http; classtype:misc-activity; sid:23167; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_client,established; content:".mpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2empg\x22/i"; flowbits:set,file.mpeg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23168; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_server,established; content:".mpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2empg\x22/i"; flowbits:set,file.mpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23169; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wma"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23188; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wma"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23189; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmv",nocase; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23190; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmv\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23191; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmv\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23192; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wm",nocase; pcre:"/\x2ewm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23193; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewm\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23194; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewm\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23195; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wax",nocase; pcre:"/\x2ewax([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23196; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wax"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewax\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23197; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wax"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewax\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23198; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wvx",nocase; pcre:"/\x2ewvx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23199; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wvx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewvx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23200; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wvx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewvx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23201; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".asx",nocase; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23202; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2easx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23203; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2easx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23204; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmx",nocase; pcre:"/\x2ewmx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; classtype:misc-activity; sid:23205; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23206; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmx\x22/i"; flowbits:set,file.asx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23207; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TAR file download request"; flow:to_client,established; file_data; content:"ustar",depth 5,offset 257; flowbits:set,file.tar; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:23322; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_client,established; content:".class"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eclass\x22/i"; flowbits:set,file.class; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:23637; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_server,established; content:".class"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eclass\x22/i"; flowbits:set,file.class; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23638; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 B3|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23639; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 BA|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23640; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_server,established; file_data; content:".RMF",depth 4; flowbits:set,file.realplayer; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23645; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_server,established; file_data; content:"GIF8",depth 4,fast_pattern; content:"a",within 1,distance 1; flowbits:set,file.gif; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23647; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"ID3",depth 3; flowbits:set,file.mp3; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23648; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_server,established; file_data; content:"OggS|00|",depth 5; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23650; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|",depth 4; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23651; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|",depth 8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23652; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23653; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23654; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23655; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23656; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23657; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_server,established; file_data; content:"RIFX",depth 4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23658; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_server,established; file_data; content:"|7F|ELF",depth 4; flowbits:set,file.elf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23663; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23664; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"|FF FB 90|",depth 3; flowbits:set,file.mp3; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23666; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23667; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24457; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24458; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; flowbits:set,file.rtf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23670; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_server,established; file_data; content:"|CA FE BA BE|",depth 4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23676; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_server,established; file_data; content:"|CA FE D0 0D|",depth 4; flowbits:set,file.class; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23677; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23678; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"CWS",depth 3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23679; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FWS"; byte_test:1,<,20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|",within 4,distance 1; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23680; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23681; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moov",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23682; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"ftyp",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23683; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mdat",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23684; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"free",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23685; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"XFIR",depth 4; flowbits:set,file.swf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23687; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_server,established; file_data; content:"ER|02 00|",depth 4; flowbits:set,file.dmg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23691; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_server,established; file_data; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,file.xls; flowbits:noalert; service:smtp; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:23697; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_server,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|",depth 16; flowbits:set,file.asf; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23698; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_server,established; file_data; content:"ID|3B|P",depth 4,nocase; content:"|0A|",within 3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|",within 4; flowbits:set,file.slk; flowbits:noalert; service:smtp; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:23701; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_server,established; file_data; content:"0&|B2|u",depth 4; flowbits:set,file.asf; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23703; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.oless.v3; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23707; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_server,established; file_data; content:"II|2A 00|",depth 4; flowbits:set,file.tiff.little; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23709; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_server,established; file_data; content:"MM|00 2A|",depth 4; flowbits:set,file.tiff.big; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23710; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23711; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|",depth 4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|",distance 0,fast_pattern; flowbits:set,file.xls; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23712; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_server,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; service:smtp; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:23714; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access JSDB file magic detected"; flow:to_server,established; file_data; content:"Jet System DB"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23716; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access TJDB file magic detected"; flow:to_server,established; file_data; content:"Temp Jet DB"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23717; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Office Access MSISAM file magic detected"; flow:to_server,established; file_data; content:"MSISAM Database"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23718; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_server,established; file_data; content:".rec|00|",depth 5; flowbits:set,file.realplayer; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23720; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_server,established; file_data; content:".r1m",depth 4; flowbits:set,file.realplayer; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23721; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_server,established; file_data; content:"|23|EXTM3U",depth 7; flowbits:set,file.m3u; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:23723; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_server,established; file_data; content:"Shockwave 3D"; content:"XFIR",depth 4; flowbits:set,file.dir; flowbits:noalert; service:smtp; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:23724; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; service:smtp; classtype:misc-activity; sid:23725; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|",within 4,distance 1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:23727; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_server,established; file_data; content:"PICT",depth 4; flowbits:set,file.pct; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23729; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4,fast_pattern; content:"CDR",within 3,distance 4; flowbits:set,file.cdr; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:23731; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Media Player .asf file magic detected"; flow:to_server,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE FC F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|",within 16,distance 8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23732; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_server,established; file_data; content:"[playlist]",depth 11; flowbits:set,file.pls; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23736; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"<smil>",depth 6; flowbits:set,file.smil; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:23737; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moof",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23738; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mfra",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23739; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"skip",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23740; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"junk",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23741; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"wide",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23742; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pnot",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23743; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pict",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23744; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meta",depth 4,offset 4; content:"hdlr",distance 0; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23745; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meco",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23746; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"uuid",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23747; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_server,established; file_data; content:"|00 01 00 00|"; content:"cmap",distance 0; flowbits:set,file.ttf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23748; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_server,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23749; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_server; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; flowbits:set,file.visio; flowbits:noalert; service:smtp; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:23753; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"AVI LIST",within 8,distance 4; flowbits:set,file.avi.video; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23754; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_server,established; file_data; content:"|57 4F 54 46|"; flowbits:set,file.wrf; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23755; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_server,established; content:"ITSF",depth 4; content:"ITSP",within 112; flowbits:set,file.chm; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:23757; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23758; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23759; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"WAVE",within 4,distance 4; flowbits:set,file.wav; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23760; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_server,established; file_data; content:"RIFF",depth 4; content:"AVI ",within 4,distance 4; flowbits:set,file.avi; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23761; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_server,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23762; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_server,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23763; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; flowbits:set,file.vap; flowbits:noalert; service:smtp; classtype:misc-activity; sid:23772; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; service:http; classtype:misc-activity; sid:24074; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_client,established; content:".mp3"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp3\x22/i"; flowbits:set,file.mp3; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24075; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_server,established; content:".mp3"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp3\x22/i"; flowbits:set,file.mp3; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24076; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_client,established; content:".rmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ermf\x22/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24078; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_server,established; content:".rmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ermf\x22/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24079; rev:4; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_client,established; content:".wps"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewps\x22/i"; flowbits:set,file.works; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24080; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_server,established; content:".wps"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewps\x22/i"; flowbits:set,file.works; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24081; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file magic detected"; flow:to_client,established; file_data; content:"/* XPM */",depth 9; flowbits:set,file.xpm; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24190; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypmp4",depth 7,offset 4; flowbits:set,file.mp4; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24213; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"SMILtext",depth 8; flowbits:set,file.smil; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24218; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"SMILtext",depth 8; flowbits:set,file.smil; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24219; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_client,established; content:".tif"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etiff?\x22/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24463; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_server,established; content:".tif"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etiff?\x22/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24464; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"|00 09 00 00 03|",depth 6; flowbits:set,file.wmf; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:24465; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_client,established; content:".flv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eflv\x22/i"; flowbits:set,file.flv; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24472; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_server,established; content:".flv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eflv\x22/i"; flowbits:set,file.flv; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24473; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_client,established; file_data; content:"|90 01 00 00 00 00 4C 50|",depth 8,offset 28; content:"|00|",within 1,distance 49; flowbits:set,file.eot; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24483; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_server,established; file_data; content:"|90 01 00 00 00 00 4C 50|",depth 8,offset 28; content:"|00|",within 1,distance 49; flowbits:set,file.eot; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24484; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY rmf file download request"; flow:established,to_client; file_data; content:"IREZ",depth 4; flowbits:set,file.rmf; flowbits:noalert; service:http; service:imap, pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:attempted-user; sid:24509; rev:3; )
+alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"FILE-IDENTIFY Alt-N MDaemon IMAP Server"; flow:to_client,established; content:"MDaemon"; flowbits:set,server.mdaemon; flowbits:noalert; service:imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:24599; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypiso",depth 7,offset 4; content:"mp4",within 3,distance 5; flowbits:set,file.mp4; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24816; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_server,established; file_data; content:"ftypiso",depth 7,offset 4; content:"mp4",within 3,distance 5; flowbits:set,file.mp4; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24817; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V",depth 7,offset 4,nocase; flowbits:set,file.m4v; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:24818; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_server,established; file_data; content:"ftypM4V",depth 7,offset 4,nocase; flowbits:set,file.m4v; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24819; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Computer Graphics Metafile file download request"; flow:to_server,established; http_uri; content:".cgm",fast_pattern,nocase; pcre:"/\x2ecgm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cgm; flowbits:noalert; service:http; classtype:misc-activity; sid:24820; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_client,established; content:".cgm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecgm\x22/i"; flowbits:set,file.cgm; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24821; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_server,established; content:".cgm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecgm\x22/i"; flowbits:set,file.cgm; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24822; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JNLP file download request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/\x2ejnlp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jnlp; flowbits:noalert; service:http; classtype:misc-activity; sid:24901; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_client,established; content:"jnlp"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ejnlp\x22/i"; flowbits:set,file.jnlp; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:24902; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_server,established; content:"jnlp"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ejnlp\x22/i"; flowbits:set,file.jnlp; flowbits:noalert; service:smtp; classtype:misc-activity; sid:24903; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_server,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole|file.oless.v3; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; flowbits:set,file.msi; service:smtp; classtype:misc-activity; sid:25062; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file download request"; flow:to_server,established; http_uri; content:".tga",fast_pattern,nocase; pcre:"/\x2etga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tga; flowbits:noalert; service:http; classtype:misc-activity; sid:25373; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_client,established; content:".tga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etga\x22/i"; flowbits:set,file.tga; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25374; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_server,established; content:".tga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etga\x22/i"; flowbits:set,file.tga; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25375; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/octet-stream",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:25513; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/x-msdos-program",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:25514; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:25515; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole|file.oless.v3; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; flowbits:set,file.msi; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:25516; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Csound audio file file download request"; flow:to_server,established; http_uri; content:".csd"; pcre:"/\x2ecsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.csd; flowbits:noalert; service:http; classtype:misc-activity; sid:25604; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Csound audio file file attachment detected"; flow:to_client,established; content:".csd"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecsd\x22/i"; flowbits:set,file.csd; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25605; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Csound audio file file attachment detected"; flow:to_server,established; content:".csd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=(?P<q1>\x22|\x27|)[^\x22\x27\r\n]*?\x2ecsd(?P=q1)/i"; flowbits:set,file.csd; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25606; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogg",fast_pattern,nocase; pcre:"/\x2eogg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25928; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogg\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25929; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogg\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25930; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogv",fast_pattern,nocase; pcre:"/\x2eogv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25931; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogv\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25932; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogv\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25933; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".oga",fast_pattern,nocase; pcre:"/\x2eoga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25934; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".oga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eoga\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25935; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".oga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eoga\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25936; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogx",fast_pattern,nocase; pcre:"/\x2eogx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25937; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25938; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25939; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".spx",fast_pattern,nocase; pcre:"/\x2espx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25940; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".spx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2espx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25941; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".spx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2espx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25942; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".opus",fast_pattern,nocase; pcre:"/\x2eopus([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; service:http; classtype:misc-activity; sid:25943; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".opus"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eopus\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:25944; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".opus"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eopus\x22/i"; flowbits:set,file.ogg; flowbits:noalert; service:smtp; classtype:misc-activity; sid:25945; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:26057; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26058; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file download request"; flow:to_server,established; http_uri; content:".htc",fast_pattern,nocase; pcre:"/\x2ehtc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.htc; flowbits:noalert; service:http; classtype:misc-activity; sid:26126; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_client,established; content:".htc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ehtc[\x22\x27\s]/si"; flowbits:set,file.htc; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:26127; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_server,established; content:".htc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ehtc[\x22\x27\s]/si"; flowbits:set,file.htc; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26128; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:26251; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF",within 3,distance 14; content:"GSUB",within 4,distance 12; flowbits:set,file.swf.cff; flowbits:noalert; service:http; service:imap, pop3; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25680; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF",within 3,distance 14; content:"GSUB",within 4,distance 12; flowbits:set,file.swf.cff; flowbits:noalert; service:smtp; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25682; rev:3; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_client,established; content:".metalink"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emetalink[\x22\x27\s]/si"; flowbits:set,file.metalink; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:26422; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_server,established; content:".metalink"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emetalink[\x22\x27\s]/si"; flowbits:set,file.metalink; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26423; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Metalink File file download request"; flow:to_server,established; http_uri; content:".metalink"; pcre:"/\x2emetalink([\?\x5c\x2f]|$)/smi"; flowbits:set,file.metalink; flowbits:noalert; service:http; classtype:misc-activity; sid:26424; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; service:imap; service:pop3; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26456; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_server,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; service:smtp; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26457; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Stream redirector file download request"; flow:to_server,established; content:".asx"; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; service:http; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26458; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet file download attempt"; flow:to_server,established; http_uri; content:"|2E|maplet"; pcre:"/\x2Emaplet([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet; flowbits:noalert; service:http; classtype:misc-activity; sid:26514; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_client,established; content:".maplet"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:26515; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_server,established; content:".maplet"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26516; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet bin file download attempt"; flow:to_server,established; http_uri; content:"|2E|bin"; pcre:"/\x2Ebin([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet.bin; flowbits:noalert; service:http; classtype:misc-activity; sid:26517; rev:2; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet bin file attachment detected"; flow:to_client,established; content:".bin"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet.bin; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:26518; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY maplet bin file attachment detected"; flow:to_server,established; content:"maple.bin"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet.bin; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26519; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Android APK download request"; flow:to_server,established; http_uri; content:".apk"; pcre:"/\x2eapk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.apk; flowbits:noalert; service:http; classtype:misc-activity; sid:26902; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_client,established; content:".apk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eapk[\x22\x27\s]/si"; flowbits:set,file.apk; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:26903; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_server,established; content:".apk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eapk[\x22\x27\s]/si"; flowbits:set,file.apk; flowbits:noalert; service:smtp; classtype:misc-activity; sid:26904; rev:1; )
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_client,established; content:".skp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eskp[\x22\x27\s]/si"; flowbits:set,file.skp; flowbits:noalert; service:imap; service:pop3; classtype:misc-activity; sid:27275; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_server,established; content:".skp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eskp[\x22\x27\s]/si"; flowbits:set,file.skp; flowbits:noalert; service:smtp; classtype:misc-activity; sid:27276; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Trimble SketchUp file download request"; flow:to_server,established; http_uri; content:".skp"; pcre:"/\x2eskp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.skp; flowbits:noalert; service:http; classtype:misc-activity; sid:27277; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_client,established; file_data; content:"|03 F3 0D 0A|",depth 4; flowbits:set,file.pyc; flowbits:noalert; service:http; service:imap, pop3; classtype:misc-activity; sid:27542; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_server,established; file_data; content:"|03 F3 0D 0A|",depth 4; flowbits:set,file.pyc; flowbits:noalert; service:smtp; classtype:misc-activity; sid:27543; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Oracle Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:4,>,59000,0,relative,big; byte_test:4,>,32000,4,relative,big; byte_test:1,>,7,8,relative; content:"|06|",within 1,distance 9; content:"|01|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3126; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16186; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",fast_pattern; content:"tEXt",distance 0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:6700; rev:18; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|EB 06 44 00|",distance 0; content:"|42 42 42 42|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|",within 4,distance 269; content:"|42 42 42 42|",within 4,distance 37; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe tiff oversized image length attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|14 01 00 00 01 01 04 00 01 00 00 00 01 01 01 01 02 01 03 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16321; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:21160; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:11; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23590; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23589; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe Photoshop TIFF malicious SGILOG-compressed data attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.protekresearchlab.com/index.php?option=com_content&view=article&id=40&Itemid=40; classtype:attempted-user; sid:21948; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"FILE-IMAGE CUPS Gif Decoding Routine Buffer Overflow attempt"; flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28544; reference:cve,2008-1373; classtype:attempted-user; sid:17558; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime uncompressed PICT stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|",distance 0,fast_pattern; content:"|82 01|",distance 0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|01 00 09 00|"; pcre:"/(\x40\x09.{19}|\x41\x0b.{23})[\xf0-\xff].{8}\x01\x00[\x00\x01\x02\x04\x08\x10\x18\x20]\x00/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:15105; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows Flashpix graphics filter fpx32.flt remote code execution attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FE FF 00 00|"; content:"|00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00 00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B|",within 36,distance 4; byte_jump:4,0,relative,little; byte_test:4,>,0,-44,relative; content:"|00 00 00 00|",within 4,distance -40; byte_jump:4,0,relative,little; byte_test:4,>,0x100,-8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3951; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18237; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime FlashPix Movie file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft FlashPix tile length overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF 5F 00 00 02 00 00 00 00 11 01 FE 56 0B 00 00 3C 0A 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3952; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18229; rev:11; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22109; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22108; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22107; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22106; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|01|",within 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22105; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22104; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x7ffffff,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25065; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25066; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 0C|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 0C|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26372; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 09|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26373; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 09|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26374; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",fast_pattern; content:"tEXt",distance 0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:26865; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24511; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26717; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26716; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|5B C7 59 FF 46 2B ED 9B 95 65 7B 3D EB B5 AD D8|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26588; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/jmx/mbeanserver/Introspector"; content:"findClass"; content:"com.sun.jmx.mbeanserver.MBeanInstantiator"; content:"declaredMethods"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26587; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26552; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26551; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26550; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26549; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26500; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26499; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"disableSecurityManager"; content:"java/lang/reflect/Field",nocase; content:"getSecurityManager",nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26487; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"disableSecurityManager"; content:"java/lang/reflect/Field",nocase; content:"getSecurityManager",nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26486; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26485; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26484; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java known malicious jar file download - specific structure"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Foo.class"; content:"trash/A.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:26439; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; http_header; content:"filename="; content:".zip|0D 0A|",distance 0; file_data; pkt_data; content:"PK",depth 2; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26292; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26200; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26199; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26198; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26197; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26196; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26195; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_server,established; file_data; content:"GenericConstructor",nocase; content:"sun.invoke.anon",nocase; content:"ManagedObjectManagerFactory"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:26186; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_client,established; file_data; content:"GenericConstructor",nocase; content:"sun.invoke.anon",nocase; content:"ManagedObjectManagerFactory"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:26185; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25834; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"exploit",nocase; content:".classPK",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2013-0422; classtype:attempted-user; sid:25833; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK",distance -800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25832; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25831; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit",nocase; content:".classPK",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; classtype:attempted-user; sid:25830; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java obfuscated jar file download attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Obfuscation by Allatori Obfuscator"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:25562; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK",distance -800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25472; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit/",nocase; content:".class",within 20,nocase; pcre:"/exploit\/(Exploit(App)?|Loader)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:cve,2012-4681; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25123; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"poc/",nocase; content:".class",within 20,nocase; pcre:"/poc\/(Exploit|myClassLoader|pocMain|runCmd)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25122; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"msf/x/PayloadX$StreamConnector.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25121; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_server,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:25006; rev:3; )
+alert tcp any any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|",depth 4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0499; reference:url,osvdb.org/show/osvdb/79226; classtype:attempted-user; sid:24915; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|",depth 4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0499; reference:url,osvdb.org/show/osvdb/79226; classtype:attempted-user; sid:24701; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24510; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; http_header; content:"Content-Encoding|3A|",nocase; content:"pack200-gzip",within 20,nocase; file_data; pkt_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|",within 50,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Web Start JNLP attribute buffer overflow attempt"; flow:to_client,established; file_data; content:"<j2se",nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:9; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x22[^\x22]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18244; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AppletX"; pcre:"/\x3C\s*applet[^\x3E\n$]*code\s*=\s*[\x27\x22]AppletX[\x22\x27][^\x3E\n$]*archive\s*=\s*[\x22\x27][^\s\x3E\n$]{32}\x2Ejar[\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:19926; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-JAVA Oracle Java Web Start BasicServiceImpl security policy bypass attempt"; flow:to_server,established; http_uri; content:"java.security.policy"; pcre:"/jnlp\x22\x09\x22-J-Djava\.security\.policy/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43999; reference:cve,2010-3563; classtype:attempted-user; sid:20430; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x27[^\x27]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:20444; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_client,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:23614; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-admin; sid:24026; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"AccessControlContext"; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24028; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24201; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24202; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24126; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24125; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24085; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24084; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:to_client,established; file_data; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz",nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client; flowbits:isset,file.psfont; file_data; content:"|CF F9 2A 69 CE 32 21 93 B1 0D 9E 89 77 CD DD 58 3A C0 0C 33 A1 9F A4 4C E9 D0 66 FB CD 2D F1 B8 3E F8 FF 09 7D 7E 94 CA 6C 78 5C 7E FF 42 D1 B8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"atomic"; content:"AtomicReferenceArray",within 20,distance 1; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21666; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|35 37 32 37 32 36 35 36 45 37 34 32 45 36 31 37 34 36 46 36 44 36 39 36|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21665; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|33 36 35 37 30 37 34 36 39 36 46 01 00 2C 36 45 30 31 30 30 30 36 36 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21664; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24058; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24057; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24056; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24055; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B1 00 02 00 06 00 20 00 23 00 48 00 04 00 3E 00 45 00 48 00 00 00 09 00 16 00 4A 00 01 00 0B 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23277; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|07 02 36 0B 43 07 02 39 0B 43 07 02 3C 0B 43 07 02 3F 0B 43 07 02 42 0B 43 07 02 45 0B 43 07 02|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23276; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 01 00 0B 00 00 00 3D 00 06 00 02 00 00 00 1C 04 3C 2A B2 00 12 B2 00 18 1B 04 64 B2 00 18 BE|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23275; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 25 B6 00 12 B8 00 2B A7 00 08 4C 2B B6 00 31 B1 00 01 00 00 00 30 00 33 00 36 00 02 00 0A 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23274; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; flowbits:isset,file.zip; file_data; content:".classPK",nocase; pcre:"/(sIda\/sId|urua\/uru)[abcd]\.classPK/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23273; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52013; reference:cve,2012-0501; reference:url,osvdb.org/show/osvdb/79228; classtype:attempted-user; sid:23243; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; content:"Payload.class",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-3544; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:20622; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,52013; reference:cve,2012-0501; reference:url,osvdb.org/show/osvdb/79228; classtype:attempted-user; sid:23560; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java attempt to write in system32"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/io/FileInputStream",nocase; content:"|5C|system32|5C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:policy-violation; sid:21056; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27076; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27077; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27190; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27191; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd",within 4,distance 4; content:"ima4",distance 8; content:"stsc",distance 0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|",within 5,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|",distance 0; byte_test:2,>,251,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|",nocase; content:"|00 00 00 0D|",within 4,distance -9; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'titl' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"<time ",nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-5036; classtype:attempted-user; sid:15166; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS",depth 4; content:"|82|theora",distance 0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"RIFF"; content:"WAVEfmt",distance 4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks SMIL wallclock stack overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smi",nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23576; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23575; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23574; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23573; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23572; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23571; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23570; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|00 00 00 1B 00 00 B0 00 90 00 8F 10 00 00 30 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:19403; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST",depth 8,offset 8; content:"hdrlavih",within 8,distance 4; content:"INFO",distance 0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI ",within 4,distance 4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15104; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih8|00 00 00|",within 12,distance 4; isdataat:!56,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih",within 8,distance 4; byte_test:4,!=,56,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed avi file mjpeg compression arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"P.|00 00 10|'|00 00 00 00 00 00 00 00 00 00|@|01 F0 00|strf|28 00 00 00 28 00 00 00|@|00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"00dc|52 0A 00 00 01 00 0A 52 00 50 00 3C 55 55 11 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:17128; rev:11; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_server,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih8|00 00 00|",within 12,distance 4; isdataat:!56,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23569; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih",within 8,distance 4; byte_test:4,!=,56,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23568; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF",depth 4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF",depth 4; content:"QLCMfmt|20|",within 8,distance 4; byte_test:4,>,220,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds",within 4,distance 4,fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf",within 4; content:"U|00|",within 2,distance 4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh",fast_pattern,nocase; byte_jump:4,0,relative,little; content:!"strf",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U",depth 7,nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16752; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16751; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<trackList><track>",nocase; content:"<identifier>-",distance 0; content:"</track></trackList>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; pcre:"/meta\s*name\x3d\s*(?P<q1>(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|",distance 1,nocase; isdataat:1024,relative; content:!"|22|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL wallclock parsing buffer overflow"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"smil ",nocase; content:"wallclock|28|",distance 0,nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI",nocase; content:"<STYLE",distance 0,nocase; content:"text/css",within 200,nocase; isdataat:600,relative; content:!"</STYLE",within 600; pcre:"/\x3Cstyle[^\x3E]+?type\s*\x3D\s*(?P<q>(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|",fast_pattern,nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|",distance 0,nocase; byte_test:4,>,low,94,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:9; )
+alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; content:"RIFF",depth 100; content:"AVI ",within 4,distance 4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:23943; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 01 A6 73 65 61 6E 00 00 00 01 00 00 00 04 00 00 00 00 00 00 41 41 70 64 61 74 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26342; reference:cve,2007-4675; reference:url,docs.info.apple.com/article.html?artnum=306896; classtype:attempted-user; sid:17373; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-MULTIMEDIA Apple QuickTime user agent"; flow:to_server,established; http_header; content:"User-Agent|3A| QuickTime"; flowbits:set,quicktime_agent; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert; service:http; classtype:misc-activity; sid:13515; rev:10; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk",nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/isR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg",distance 0; byte_test:2,>,0x7000,14,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg",distance 0; byte_test:2,>,0x7000,14,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24550; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov",nocase; content:"trak",distance 0,nocase; content:"mdia",distance 0,nocase; content:"minf",distance 0,nocase; content:"stbl",distance 0,nocase; content:"stsd",distance 0,nocase; content:"avc1",distance 0,nocase; content:"avcC",distance 0,nocase; content:"|FF E1|",within 2,distance 4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4|file.m4v; content:"moov",nocase; content:"trak",distance 0,nocase; content:"mdia",distance 0,nocase; content:"minf",distance 0,nocase; content:"stbl",distance 0,nocase; content:"stsd",distance 0,nocase; content:"avc1",distance 0,nocase; content:"avcC",distance 0,nocase; content:"|FF E1|",within 2,distance 4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy balanced-ips alert,policy security-ips alert; service:smtp; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24641; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST",depth 8,offset 8; content:"hdrlavih",within 8,distance 4; content:"INFO",distance 0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:24955; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ogg; file_data; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25298; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|E9 7F 58 02 18 00 72 64 33 6D 5E 2C 6D 5E 2C 6D|"; metadata:policy balanced-ips drop; service:http, imap, pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25376; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop; service:http, imap, pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25377; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|E9 7F 58 02 18 00 72 64 33 6D 5E 2C 6D 5E 2C 6D|"; metadata:policy balanced-ips drop; service:smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25378; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop; service:smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25379; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25796; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<trackList><track>",nocase; content:"<identifier>-",distance 0,nocase; content:"</track></trackList>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-4558; classtype:attempted-user; sid:25797; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//",nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|",depth 12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; content:"<param ",nocase; content:"URL",distance 0,nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,osvdb.org/show/osvdb/57162; classtype:attempted-user; sid:16738; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/isR"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:26472; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-MULTIMEDIA Apple iTunes playlist overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http",offset 7,nocase; content:"://",within 4; isdataat:550,relative; content:!"|0D|",within 1000; content:!"|0A|",within 1000; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2005-0043; classtype:attempted-user; sid:26667; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]",depth 10,nocase; isdataat:1000; content:"File",distance 0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_client,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:11836; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel REPT integer underflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"|3D|rept|28|",nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,31706; reference:cve,2008-4019; classtype:attempted-user; sid:17734; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section header index table stack overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,27658; reference:cve,2008-0105; classtype:attempted-user; sid:17304; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word information string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF 00 00|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|",within 16,distance 24; byte_jump:4,0,relative,little,post_offset -48; byte_extract:4,0,sectLength,relative,little; content:"|1E 00 00 00|",within sectLength; byte_test:4,>,2147483647,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7203; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; content:"|13 08 00 00 00 00 00 00 00 00 00 00|",within 12,distance 2; pcre:"/^(.{3}[\x80-\xFF]|.{7}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16647; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 10 10 00|"; content:"|33 10 00 00|",within 4,distance 16; content:"|54 08 0C 00 54 08 00 00|",distance 0; content:"|55 08 0C 00|",distance 8; content:"|55 08 0C 00|",within 4,distance 12; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16643; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|13 00|",within 2,distance 20; byte_test:2,>,1024,18,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,osvdb.org/show/osvdb/65236; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16638; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16639; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|0E 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16640; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|0E 00|",within 2; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16641; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:19133; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:19134; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 00 00 00 FF FF FF FF 00 11 6D 79 63 6F 6D 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,40525; reference:cve,2010-1247; classtype:attempted-user; sid:19412; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft VBE6.dll stack corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|50 00 6F 00 69 00 6E 00 74 00 20 00 44 00 6F 00 63 00 75 00 6D 00|"; content:"|01 00 C3 0F 18 00 00 00|",distance 0; content:"|00 00 00 00|",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,39931; reference:cve,2010-0815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-031; classtype:attempted-user; sid:16593; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9",distance 0; content:"|0A 24|",distance 0; isdataat:92,relative; content:!"|0A|",within 92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:18331; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed table record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 13 3A FF FF FF 8C 0F 00 00 F0 38 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17124; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumOfColumns,relative; byte_jump:2,-3,relative,little; content:"|20 D6|",within 2,distance -1; byte_test:1,>,NumOfColumns,2,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,38218; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:18535; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C|sp"; content:"|5C|sn",within 100,nocase; content:"pFragments",within 100,nocase; content:"|5C|sv",within 100,nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18067; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|65 08|",distance 0; byte_test:1,&,0x80,19,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17757; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word XP PLFLSInTableStream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 51 4A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17756; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D111B16A00C0F0283628"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21797; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D1116ab1283628f0c000"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21798; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"E0F86B9944805046EBAD9CE91439010B"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21799; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"B69041C78985D1116AD1283628F0C000"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21800; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"5FDC81917DE08A41A6AC"; pcre:"/5FDC81917DE08A41A6AC(E9B8ECA1EE.8|.98ECB1EEA8E)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21801; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 00 00 00 1F 00 44 F1 F8 00 00 00 00|"; content:"|00 00 00 19 00 00 00 0F 00 2E F1 00 00 00 00 0F 00 2E F1 A0 00 00 00 00 00 3A F1 08 00 00 00 01|",within 32,distance 32; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:21647; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 0B 00 0B 00 00 00 00 00 00 00 AA 00 00 00 03 A0 41 41 41 FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,osvdb.org/show/osvdb/77671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:21243; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:16800; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 0B 00 51 10 08 00 00 01 01 00 FF 00 00 00 27 10 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0549; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:18399; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 00 02 00 00 00 00 07 00 3A 00 00 00 00 00 00|"; content:"|51 10 13 00 01 02 00 00 00 00 0B 00 3B 00 00 00 00 00 00 01 00 03 00|",within 23,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18740; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 19 1D 00 04 04 01 00 01 00 F2 68 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips alert; service:http, imap, pop3; reference:cve,2010-2569; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18212; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 97 conversion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 FF FF 67 7E 66 00 48 D4 03 00 57 D7 03 00 FF FF 14 00 1A|"; metadata:policy balanced-ips drop,policy security-ips alert; service:http, imap, pop3; reference:cve,2010-2571; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18214; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 75 00 14 00 01 00 40 00 00 00 90 22 BD 04 FF FF 00 00 12 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 01 00 00 00 00 00 04 42 03 FF 00 01 00 24|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17758; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 91 00 07 00 01 00 41 00 00 00 E0 29 BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 30 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17764; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid SerAr object exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02 00 00 00 00 00 04 42 03 FF 00 02 00 00 B6 1E 00 00 5B 44 65 70 74 5D 2E 5B 57 73 7A 79 73 74 6B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17759; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 11 6D 79 63 6F 6D 61 64 64 69 6E 2E 70 72 6F 67 69 64 00 0B 4C 4F 52 45 4D 5F 49 50 53 55 4D 05 50 72 69 63 65 10 00 00 00 2A 00 00 00 00 00 00 00 EA 4E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17760; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 00 00 00 2A 00 00 00 00 00 00 00 41 41 13 08 4F 00 13 08|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18806; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|08 20 E0 AC 01 00 09 C0 6E 00 00 00 41 00 41 00|",within 16,distance 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3954; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18230; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1 F8 00 00 00 00 00 27 F1 20 00 00 00|"; content:"|0F 00 3D F1 00 00 00 00 0F 00 31 F1 A0 00 00 00|",within 16,distance 32; content:"|1F 00 2C F1 18 00 00 00 00 00 28 F1 10 00 00 00|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:18635; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio deserialization double free attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 BF 8E 22 BD 3E 68 9C 83 00 00 01 00 1D 02|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18415; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Data Type Memory Corruption"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|80 12 00 0F 00 41 41 38 A4 EF 66 04 00 02 EC F0|"; content:"|56 41 52 43 48 41 A1 52 DC FF|",within 10,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,46138; reference:cve,2011-0093; classtype:attempted-user; sid:18755; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|F2 04 58 41 03 00 47 00 00 00 42 00 00 00 00 00 7B DA 02 EB F0 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18417; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 98 0C 3C BF 61 D1 D2 C9 00 00 01 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18416; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|9A 00 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:20029; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 1F 00 44 F1 F8 00 00 00 00 00 27 F1|"; content:"|19 00 00 00 0F 00 3D F1 00 00 00 00 0F 00 31 F1|",within 16,distance 32; content:"|FF FF FF FF 1F 00 32 F1 18 00 00 00 00 00 28 F1|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:19811; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 00 00 00 00 00 00 00 00 00 00 01 32 00 31 90|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19459; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 3E C6 FF 41 41 41 41 00 00 00 01 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19458; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher pubconv.dll corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|39 00 39 00 39 00 39 01 1D 00 04 04 01 00 01 00 E2 00 01 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,45277; reference:cve,2010-2569; classtype:attempted-user; sid:19306; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray parsing attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 20 02 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 00 10 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18948; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18538; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice.org Microsoft Office Word file processing integer underflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|08 D6 05 80 05 94 FF E0 10 2C 22 00 06 4C 11 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38218; reference:cve,2009-3301; classtype:attempted-user; sid:18536; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Global Array Index Heap Overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|22 B0 08 07 23 90 A0 05 24 90 A0 05 33 50 00 19 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:17560; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:17542; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17539; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|",depth 20,offset 688; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17538; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17537; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|",within master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:13971; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:13572; rev:16; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed formula parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|07 C9 C0 00 00 06 03 00 00 18 00 FF 02 00 00 02 7C 7C 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28167; reference:cve,2008-0115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:17655; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|",distance 0; byte_test:2,<,8,0,relative,little; content:"|51 08|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:14641; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|8C 00 04 00|"; byte_test:2,>,5,0,relative,little; content:"|18 00|",within 2,distance 4; content:"|20 00|",within 2,distance 2; byte_test:2,>,14,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-074; classtype:attempted-user; sid:13972; rev:16; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|0D 14 00 03 00 01 00 16 00 03 00 01 01 02 FF 00 A4 02 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:15299; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 02 0B|@|00 00 00 00 00 00 00 00 FE 00 FF 00 90 03 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:16318; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|",within 4; content:"|BA 0F 00 00|",within length; byte_test:4,>,0x100,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15499; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16586; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16234; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:17695; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint LinkedSlide memory corruption"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_test:4, >, 1000000, 4, relative, little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15500; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+",within 3,distance 5; isdataat:4,relative; content:!"|04 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15505; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_jump:4,4,relative,multiplier 16,little; content:"|00 00 E6|.|08 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16410; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|",within 4,distance 4; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15506; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 08|"; content:"|06 08|",within 2,distance 2; byte_test:1,&,0x10,16,relative; byte_test:1,!&,0x40,16,relative; byte_test:4,>,0,18,relative,little; content:"|07 08|",distance 0; content:"|07 08|",within 2,distance 2; byte_test:1,&,8,2,relative; byte_test:1,<,0x10,2,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:15542; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FeatHdr BIFF record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"g|08|"; content:"|04 00|",within 2,distance 14; content:"|04 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16241; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Malformed IconBitsComponent arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00| |00| |FF 00 00 14 01 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:15303; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SST record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|FC 00|",distance 0; byte_test:4,>,0,2,relative,little; byte_test:4,>,0x10000000,6,relative,little; byte_test:2,>,10,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_jump:2,0,relative,little; pcre:"/^(\xFF|\x3C)\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,36042; reference:cve,2009-0561; reference:cve,2009-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; classtype:attempted-user; sid:15541; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,!&,0x07,0,relative,little; byte_test:1,&,0x48,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16471; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x03,0,relative,little; byte_test:1,&,0x40,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16470; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x06,0,relative,little; byte_test:1,&,0x08,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16469; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18066; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher oversized oti length attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|2C 01 04 00|",within 4,distance 2; byte_test:2,>,94,26,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3955; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18231; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|01 2C 01 2B 01 2A 01 2F 01 2E 01 2D 01 52 00 12 12 00 00 00|"; content:"|02 00 13 00|",within 4,distance 11; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35599; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:19932; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|09 08 10 00 00 06|",distance 0; content:"|1E 04|",distance 0,fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:19552; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed index code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 00 60 00 0C 14 FF 00 04 61 D5 00 B0 00 08 00 53 00 75 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43766; reference:cve,2010-2750; classtype:attempted-user; sid:19153; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:16188; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|",distance 0; content:"|47 00 00 00|",distance 0; content:"|08 00 00 00 28 00 00 00|",within 8,distance 8; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18265; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:17646; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:17308; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word document stream handling code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,25567; reference:cve,2007-0870; classtype:attempted-user; sid:17368; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IMDATA buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,21856; reference:cve,2007-0027; classtype:attempted-user; sid:17362; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|",within 12,distance 23; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:17301; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17770; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 00 01 18 E8 AC 02 68 43 43 43 00 03 20 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,27739; reference:cve,2008-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-012; classtype:attempted-user; sid:13470; rev:15; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 10 00 00 00 00 00 00 00|"; byte_test:4,>,2147483648,0,relative,little; content:"|00 00 10|",within 3,distance 5; content:"@|00 00 FF FF 01 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15467; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|F6 03 00 00 FF 7F 12 D6 FC 12 D6 FC|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15524; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|07 07 07 52 07 45 07 50 07 52 07 4F 07 07 07|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17742; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 E9 62 F9 FF FF 13 98 FE 0C|4|00 FF 8F FF E7 40 40 40|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17691; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15525; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 01 00 00 00 01 00 68 01 78|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17690; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|C0 00 00 00 16 00 00 00 C8 00 00 00 0D 00 00 00 D0 00 00 00 0C 00 00 00 E1 00 00 00|"; byte_test:4,>,357913941,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-073; classtype:attempted-user; sid:16314; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel ptg index parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 05 1E 02 00 1E 03 00 05 1E 04 00 05 1E 05 00 05 1E 06 00 05 1E 03 00 1E 04 00|B|04|G|00 D7 00 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16553; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16226; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16177; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16178; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel oversized ptgFuncVar cparams value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|J|00|"; content:"|03 1E 0A 00|B|04|G|00|",within 8,distance 66; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16233; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio improper attribute code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00| |00|h|00 00 00 02|U|00 00 F8 00 00 00 00 00 00 00|@"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16535; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio off-by-one in array index code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"h|00 07 00 01|T|00 00 C8 01 00 00 00 00 00 00|I|00 00 00 00 00 00 F0|?A|00 00 00 00 00 00 E0|?A|00 00 00 00 00 00 B0|?A|00 00 00 00 00 00 B0 BF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16536; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 01 00 01 00 00 02|"; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02|",within 21,distance 12; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 02 00 02 00 00 02|",within 21,distance 74; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16463; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B 00 00 01 00 01 00 00 00 02 00|"; content:"|3B 00 00 00 00 00 00 00 00 02 00|",within 11,distance 12; content:"|3B 00 00 02 00 02 00 00 00 02 00|",within 11,distance 92; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16462; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel uninitialized stack variable code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:">|02 12 00 B6 06 00 00 00 00|@|00 00 00 00 00 00 00 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00 9A 00 06 00 FF FF 00 00 00 00 0A 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16466; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16644; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16645; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16646; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 1"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 01 00 00 00 FF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16648; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 1"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|b|00|j|00|e|00|c|00|t|00|P|00|o|00|o|00|l|00|"; content:"|18 00 01 01 FF FF FF FF FF FF FF FF 06 00 00 00 27 03 23 53 2B 17 D0 11 AD 40 00 A0 C9 0D C8 D9|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17038; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|01 08 5B 05 68 45 DE 11 13 6D 48 7B 07 7D 28 F0 6D 48 44 06 07|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:17119; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 0D 00 00 00 B0 0F 00 00 FF FF 00 00 8C 01 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B3|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18065; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word bookmark bound check remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 62 00 00 00 75 00 00 00 7E 00 00 00 8A 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17754; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17755; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GhostRw record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 00 05 19 40 00 01 1E 01 00 19 40 00 01 03 1F 00 00 00 00 00 00 10 41 1E 00 04 05 19 40 00 01 1E 01 00 19 40 00 01 03 1E 10 00 1E 00 01 05 19 40|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17763; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed MsoDrawingObject record attempt"; flow:established, to_client; flowbits:isset,file.xls; file_data; content:"|18 6A CB 01 70 7E 13 F2 DE 6E CB 01 06 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18068; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17406; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17404; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office TIFFIM32.FLT filter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 02 00 03 00 00 FF FF 00 00 0D 00 01 03 00 03 00 00 00 01 00 03 00 00 01 06 00 03 00 00 00 01 00 00 00 00 01 0A 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3949; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18236; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt"; flow:to_client,established; file_data; content:"|29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18643; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|25 56 00 FF 05 D6 18 04 01 00 00 04 01|",fast_pattern; content:"|08 D6 1A 00 01 94 FF 2C 22 00 06 98 22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18642; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office BpscBulletProof uninitialized pointer dereference attempt"; flow:to_client,established; file_data; content:"|0F 00 03 18 79 3B 00 00 0F 00 04 F0 48 05 00 00 01 00 09|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1982; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; classtype:attempted-user; sid:20129; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"|0A|P|3B|PAAAA"; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:20049; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:17310; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|00 00 29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:19707; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 00 05 00 00 00 07 08 00 00 0F 00 EF 03 00 00 00 00 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38073; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:19442; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:19156; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 3"; flow:to_client,established; file_data; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18541; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:18514; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt"; flow:to_client,established; file_data; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34880; reference:cve,2009-0225; classtype:attempted-user; sid:17565; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Object Handler Validation Code Execution attempted"; flow:to_client,established; file_data; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,29158; reference:cve,2008-0119; classtype:attempted-user; sid:17383; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Object Header Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HATCH|0D 0A|",nocase; pcre:!"/^\s*[1-9][0-9]*\x0d\x0a/R"; metadata:policy balanced-ips drop,policy security-ips alert; service:http, imap, pop3; reference:cve,2008-1090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-019; classtype:attempted-user; sid:13665; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:2,>,32767,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:13970; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; http_uri; content:".ppt",nocase; pcre:"/[^\x5C\x2F\x3A\x2A\x3F\x22\x3C\x3E\x7C\x3D\s]{256}\x2Eppt($|\x3f)/i"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16409; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Adobe Font Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|E0 98 FF FF FF E1 FF 5F FF E2 DF E0 DE 71 DE 9E DE 71 DC 83|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3956; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18233; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; file_data; content:"|C0 9C 83 4A FF F8 CE 11 A0 6B 00 AA 00 A7 11 91 30 00 00 00|"; content:"T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00 00 00 41 00 00 00|",distance 0; content:"|28 00 00 00|",within 4,distance 4; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18398; rev:9; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"bGU6Ly9jOlx3aW5kb3dz",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17036; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"aWxlOi8vYzpcd2luZG93",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17035; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt "; flow:established, to_server; content:"Content-Type|3A|",nocase; content:"application/ms-tnef",within 25,nocase; content:"ZmlsZTovL2M6XHdpbmRv",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17034; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|5C|sp"; content:"|5C|sn",within 100,nocase; content:"pFragments",within 100,nocase; content:"|5C|sv",within 100,nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18310; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 file format arbitrary code execution attempt"; flow:to_client,established; file_data; content:"R|00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:15681; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 2"; flow:to_client,established; file_data; content:"|87 0C 14 B9 C6 B7 BD BB 1A|x?|9F EE 0A|P|1C D1 B5|8xG|06 BE 88 E1|X|DF DE|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16468; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 1"; flow:to_client,established; file_data; content:"Zsk|C9 23 EF E2|@A|3A 97 98|<f|81 E9 AA|yH|84 1D|[|A2 EC|{|FD 5C 14|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16467; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 2"; flow:to_client,established; file_data; content:"CLASSID|3D 22|CLSID|3A|53230327-172B-11D0-AD40-00A0C90DC8D9|22| data|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17039; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:18200; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17405; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"aWxlOi8vYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxj"; pcre:"/^[A-Za-z0-9\\x2b\x2f][GWm2]V4ZT9vb29v[A-Za-z0-9\\x2b\x2f][GWm2]Rh/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:20247; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"bGU6Ly9jOlx3aW5kb3dzXHN5c3RlbTMyXGNhbG"; pcre:"/^[MNOP][A-Za-z0-9\\x2b\x2f]ZXhlP29vb2[89+/][A-Za-z0-9\\x2b\x2f]ZGF0/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:20246; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"xNzIuMTYuOC4zOS9wdWJsaWMvZXhwbG9pdC5leGU"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19407; rev:6; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; content:"ZmlsZTovL2M6XHdpbmRvd3Ncc3lzdGVtMzJcY2FsYy5leGU/b29vby5kYXQK"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19406; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_client,established; file_data; content:"file://c:|5C|windows|5C|system32|5C|calc.exe?oooo.dat"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19405; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|importprf",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2fimportprf/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:13573; rev:14; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters XST parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 90|hNIr|8F 1E 23 FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F 00 00 01 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 10 00 00 0F 84|h|01 11 84 98 FE|^|84|h|01|`|84 98 FE|o|28 00 87|h|00 00 00 00 88|H|00 00|BB"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15455; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 10 00 00 00|Nullcode.com.ar|00 03 00 00 00 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15466; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|4E 08 7D EB|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21896; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8B 8D DA 58|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21897; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|00 36 D8 F4|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21898; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|B1 3C C1 6A|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21899; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8E 7E E1 E6|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21900; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|A3 E8 13 07|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21901; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|",distance 0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:17250; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 51 10 1D 00 01 02 00 00 00 00 15 00 3B FF FF 00 00 00 00 00 00 01 00 13 00 13 00 01 00 01 00 00 02 51 10 1D 00 02 02 00 00 00 00 15|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21942; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 08 00 00 01 00 00 00 00 00 00 51 10 13 00 01 02 00 00 00 00 0B 00 3B 01 00 02 00 02 00 00 00 02 00 51 10 13 00 02 02 00 00 00 00 0B 00 3B 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21943; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice OLE file stream buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|",nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:17315; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; byte_test:2,>=,0,8,little,relative; byte_test:2,<=,0x7ef4,8,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22091; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; content:"|FF 7F|",within 2,distance 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:23009; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|98 08 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:23010; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|altvba",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2faltvba/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:23211; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23526; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23527; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:23534; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; content:"P|00|P|00|4|00|0|00|",within 8,distance 108; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-0220; reference:cve,2009-0223; reference:cve,2009-0226; reference:cve,2009-0227; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23535; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|",within 4,distance 4; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23536; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+",within 3,distance 5; isdataat:4,relative; content:!"|04 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23537; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|",within 4; content:"|BA 0F 00 00|",within length; byte_test:4,>,0x100,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23538; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:23539; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23540; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23541; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:23542; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|13 00|",within 2,distance 20; byte_test:2,>,1024,18,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,osvdb.org/show/osvdb/65236; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23544; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23545; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|0E 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23546; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|0E 00|",within 2; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23547; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23550; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23552; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23554; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:23555; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_client,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0167; classtype:attempted-user; sid:23989; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_server,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0167; classtype:attempted-user; sid:23992; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Times|20|New|20|Roman|20|Cyr|03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41|"; content:"|41 41 41 41 28 AE 12 00 41 41 41 41 58 17 DD 77|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18616; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|00 00 00 00 A2 04 00 00 00 00 4E 03 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18615; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section length headers memory corruption attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"STSH"; byte_test:2,>,32768,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,27657; reference:cve,2007-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-011; classtype:attempted-user; sid:13466; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Timesffffffffff|01 10 12|fffff ffffffffffff|02 00 FF|fffff fffffffffffff|03 10 15|fffffffffffffffffffff|04 10 13|fffffffffffffffffffffffffffffffffffffffffffff|29 06 10 18|ffffffffffffffffffffffff|07 10 16|ffffffffffffffffffffff|08 10 1C|ffffffffffffffffffffffffffff|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:15526; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9",distance 0; content:"|0A 24|",distance 0; isdataat:92,relative; content:!"|0A|",within 92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:24186; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24351; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24352; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listtable{"; content:"|5C|listid2147483647}"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24353; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listid2147483647}"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24354; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24357; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24358; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout",nocase; content:"|5C|dppolycount",within 50,nocase; byte_test:5,>,50,0,string,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1902; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17123; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|emfblip"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17120; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|pngblip"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17121; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|jpegblip"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17122; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18680; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18706; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolycount",nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:15106; rev:12; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18705; rev:9; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18704; rev:11; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18703; rev:9; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18702; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF parsing memory corruption"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpline |5C|dpline |5C|dpline |5C|dpline"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-026; classtype:attempted-user; sid:17743; rev:12; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; pcre:"/\x5cdpcallout\s*\x5cdpcallout\s*\x5cdpcallout/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15082; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"4E087DEB",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21902; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8B8DDA58",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21903; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"0036D8F4",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21904; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"B13CC16A",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21905; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8E7EE1E6",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21906; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office rtf document generic exploit indicator"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"%USERPROFILE%|5C|"; pcre:"/\x25USERPROFILE\x25\x5C[^\x2e]{1,255}\x2eexe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21907; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"A3E81207",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21937; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"D0CF11E0"; content:"436F626A",distance 0,nocase; byte_test:8,=,0x64000000,0,relative,little,string,hex; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:23305; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice RTF File parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"rtf",nocase; content:"|5C|prtdata",distance 0,nocase; isdataat:200,relative; content:!"|0A|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,24450; reference:cve,2007-0245; classtype:attempted-user; sid:17403; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_client,established; flowbits:set,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2550; classtype:attempted-user; sid:24587; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_server,established; flowbits:set,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2550; classtype:attempted-user; sid:24588; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:24823; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:24868; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; content:!"|5C|listoverridecount0"; content:!"|5C|listoverridecount1"; content:!"|5C|listoverridecount9"; content:!"|5C|listoverridecount|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; classtype:attempted-user; sid:24974; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; content:!"|5C|listoverridecount0"; content:!"|5C|listoverridecount1"; content:!"|5C|listoverridecount9"; content:!"|5C|listoverridecount|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; classtype:attempted-user; sid:24975; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25293; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25294; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25295; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25296; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:25311; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pfragments|00 CC 7D 7B 7B 5C 2A 5C 2A 7D 5C 73 76 7B 7D 7B 5C 69 6E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:25393; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:25587; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:25630; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:25631; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:25768; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft OLE automation string manipulation overflow attempt"; flow:to_client,established; file_data; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25282; reference:cve,2007-2224; classtype:attempted-user; sid:17421; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_server,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:26089; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_client,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|",depth 16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26170; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_server,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|",depth 16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26171; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26174; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|",distance 0; byte_test:2,<,8,0,relative,little; content:"|51 08|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26175; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|09 08 10 00 00 06|",distance 0; content:"|1E 04|",distance 0,fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:26329; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|",within master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:26330; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any ( msg:"FILE-OFFICE OpenOffice OLE File Stream Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|",nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:26453; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:2,>,32767,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:26597; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:26602; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio XML parameter entity reference local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<!ENTITY",nocase; content:"SYSTEM",within 25,nocase; content:"file:///",within 25,fast_pattern,nocase; content:"<!ENTITY",distance 0,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21ENTITY\s+?\x25\s+?(?P<local>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?file:\x2f\x2f\x2f.*?[\x22\x27]\s*?<\x21ENTITY\s+?(\x25|&#37\x3b)[^>]+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^>]+?\x25(?P=local)\x3b/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26626; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"<!DOCTYPE",nocase; content:"svg",within 25,nocase; content:"<!ENTITY",within 25,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21DOCTYPE\s+?svg\s+?\[\s*?<\x21ENTITY\s+?\x25\s+?(?P<remote>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26627; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_server,established; flowbits:isset,file.svg; file_data; content:"<!DOCTYPE",nocase; content:"svg",within 25,nocase; content:"<!ENTITY",within 25,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21DOCTYPE\s+?svg\s+?\[\s*?<\x21ENTITY\s+?\x25\s+?(?P<remote>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26628; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:26663; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26672; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|",within 12,distance 23; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26673; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26674; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|",distance 0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy balanced-ips alert,policy security-ips alert; service:smtp; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:26676; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26706; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26707; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26708; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26709; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26710; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Excel malformed ftCMO record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 10 00|"; content:"|15 00 12 00 08 00|",distance 0,fast_pattern; content:"|5D 00|",within 2,distance -10; byte_test:2,>,0,0,little,relative; content:!"|EC 00|",within 2049,distance -2049; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-009; classtype:attempted-user; sid:26711; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_client,established; file_data; content:"MSComctlLib.Toolbar.2"; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; classtype:misc-activity; sid:26830; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_server,established; file_data; content:"MSComctlLib.Toolbar.2"; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert; service:smtp; classtype:misc-activity; sid:26831; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26832; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_server,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26833; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-3.1 EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:4,>,65535,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27089; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:4,>,65535,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27090; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint schemes record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|B2 B2 B2 B2 B2 B2 01 80 2C 01 5F 16 05 00 FF 7F 00 00 FF 00 00 00 00 00 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0226; classtype:attempted-user; sid:27215; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint printer record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|4E 6F 6E 65 00 44 72 69 76 65 72 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0227; classtype:attempted-user; sid:27216; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows download of .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:17442; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Visual Studio VAP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.vap; file_data; content:"|22|projectname|22| = |22|",nocase; content:!"|22|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22032; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23152; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23153; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23154; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23155; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1429; classtype:attempted-user; sid:23318; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1420; classtype:attempted-user; sid:23323; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1424; classtype:attempted-user; sid:23326; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1422; classtype:attempted-user; sid:23328; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1421; classtype:attempted-user; sid:23329; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"[aliases]",depth 9,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1419; classtype:attempted-user; sid:23351; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1430; classtype:attempted-user; sid:23357; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 00 00 01 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:23566; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_server,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:23578; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17807; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|",within 20,distance 192; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17806; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:23371; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave tSAC pointer overwrite attempt"; flow:to_client,established; flowbits:isset, file.dir; file_data; content:"tSAC<|04 00 00 00 04 00 00 04|2|0B 00 00 01 00 00 00 14 0C 0C 0C 0C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3464; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16223; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave director file malformed lcsr block memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"p|00 00 00 01 00 00 00 A8 FF FB|m|10|http|3A|//www."; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3466; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16220; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM"; byte_test:4,>,4211081214,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17200; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 00 01 00 04 00 00 40 05 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17181; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 40 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17180; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,36,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17202; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; byte_test:1,>,127,76,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2867; classtype:attempted-user; sid:17203; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|52 02 4C 00 61 46 43 01 57 C9 41 01 06 52 43 4C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17189; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E|"; content:"|0A 08 19 1E 1C 1E 1F 1E 44 00 43 01 57 6E A1 9C|",within 16,distance 512; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17188; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|8F 41 01 45 C2 AE 00 FF 45 B0 41 24 43 46 1F 42|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17187; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00|"; content:"|01 17 00 C0 FF FF 00 00 00 C1 00 00 01 84 00 00|",within 16,distance 84; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17186; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E 00 00 05 0E 00 5C 00 40|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17185; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 00 00 00 00 06 00 00 00 45 00 00|",within 16,distance 28; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17184; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 16 00 00 00 00 00 00 00 00 00 00 00 45 00 00|",within 16,distance 24; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17183; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 16 00 00 00 00 00 00 00 3F 00 00|",within 16,distance 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17182; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file pamm record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"pamm"; byte_test:4,>,4294967118,20,relative; content:!"|FF FF FF FF|",within 4,distance 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17179; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file mmap overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"RIFX",depth 4; content:"mmap"; byte_test:4,>,32768,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2870; classtype:attempted-user; sid:17204; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|",within 4,distance 203; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17803; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|",within 4,distance -24; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"EyeL|04 00 00 00 01 00 00 00 42 00 00 00 70 00 00 00 99 00 00 00 56 55 55 15|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2871; classtype:attempted-user; sid:17190; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"39VMpami|18 00 00 00 01 41 41 41 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2872; classtype:attempted-user; sid:17191; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2873; classtype:attempted-user; sid:17192; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"muhT|9B 00 00 00 00 04 00 00|FCRD|A8 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2874; classtype:attempted-user; sid:17193; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC tag exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|shockwave3d|00 00 01|P3DPR|00 00 01|P|00 00 00 06 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,42668; reference:cve,2010-2875; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17194; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|01 36 01 00 00 00 80 80 00 00 00 15 00 00 00 03 00 00 00 27 00 00 00 24 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 06 00 01 00 00 00 0F E1 FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2877; classtype:attempted-user; sid:17196; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|6D 9E 54 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 01 1A 3A 36 23 16 3A 37 0C 29 47 72 65 67 20 42 61 72 6E 65 74 74 00 80 80 00 04 74 65 78 74 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2878; classtype:attempted-user; sid:17198; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|32 02 30 82 02 31 30 02 38 38 02 30 82 02 31 30 02 38 38 03 30 30 30 41 30 30 30 30 30 30 31 33 00 00 30 30 30 30 30 32 02 30 82 02 31 30 02 38|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2879; classtype:attempted-user; sid:17197; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"|4A 46 49 46|",within 4,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21629; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1430; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21630; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"this.toString = function|28|",nocase; content:"java.lang.System.setSecurityManager|28|null|29|",distance 0,nocase; content:"return String.fromCharCode|28|97",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-3544; reference:url,osvdb.org/show/osvdb/76500; classtype:attempted-user; sid:21057; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java JRE sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"AtomicReferenceArray"; content:"localAtomicReferenceArray = (AtomicReferenceArray)arrayofObject",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21869; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption"; flow:to_client,established; flowbits:isset,file.dmg; file_data; content:"|00 00 00 00 4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:18463; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows chm file malware related exploit"; flow:to_client,established; flowbits:isset,file.chm; file_data; content:"|78 07 2F 6D 79 2E 68 74 6D 01 84 A0 00 81 5C 0C 2F 73 65 72 76 69 63 65 2E 65 78 65 01 00 84 A0|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/508508b8105d7d9b5289813b385f9be233d76e09a2ad3c647e8dc5078db8eff1/analysis/; classtype:trojan-activity; sid:21489; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 73 00 04 00 AD FE FF FF FE 01 00 00 2F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19219; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows embedded OpenType EOT font integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|52 E7 0D 2C 32 3E 1D FC BE E2 B2 A1 E9 94 6A 46 57 35 B4 FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43775; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-user; sid:19308; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 00 42 00 55 00 47 00 0A 00 A7 FE FF FF DA 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19220; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows .NET Framework XAML browser applications stack corruption"; flow:to_client,established; flowbits:isset,file.manifest; file_data; content:"|2F 00 59 00 41 01 6B 00 61 00 41 01 6B 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,47223; reference:cve,2010-3958; classtype:attempted-user; sid:19170; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|AA FF FF FF FF 00 00 00 20 00 00 00 03 00 00 00 21 00 00 00 7E 00 00 00 04 00 00 00 A0 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:18952; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17735; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Key Strings Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"Magenta",nocase; content:"|41 41 41 41 41|",within 5,distance 241; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,31999; reference:cve,2007-6432; classtype:attempted-admin; sid:17650; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20776; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos executable attempt"; flow:to_client,established; file_data; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18406; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos attempt"; flow:to_server,established; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18407; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt"; flow:to_client,established; file_data; content:"|04 FB 61 0C 03 F1 0C 04 8C 8B 8B 8C 8B 8B 0C 07 1C F7 E9 FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:18644; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|64 A2 F7 60 A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:18402; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Data Access Components library attempt"; flow:to_client,established; file_data; content:"|33 C0 66 89 45 F4 6A FD 8D 85 BC FF FE FF 50 6A FD 8D 8D D8 FF FE FF 51 6A FD 8D 95 F4 FF FE FF 52 8B 85 A4 FF FE FF 50 E8 9B FB FF FF 33 C0 52 8B CD 50 8D 15 14 15 41 00 E8 9E FB FF FF 58 5A 5F 5E 5B 8B 4D FC 33 CD E8 12 FB|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18276; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|4B 47 2D D7 6B CF 87 5D CF DB F3 1E FE 9F 9F 5F F4 A3 30 49 BC A4 DB 9E B3 C3 7B ED B9 C5 28 6E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18953; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|CB 5D 91 76 A2 A3 23 D7 EF 15 F9 A8 E3 7A DD A5 78 21 08 0E FE 17 FF 2F 2D AD 84 49 9C 65 41 B6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18954; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:17374; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Project Invalid Memory Pointer Code Execution attempt"; flow:to_client,established; file_data; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,28607; reference:cve,2008-1088; classtype:attempted-user; sid:17382; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenOffice.org XPM file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */",fast_pattern; content:"static char *",distance 0; pcre:"/^[^\x22]+\x22(\d+\x20+){2}/R"; byte_test:10,>,419062,0,relative,string; byte_test:10,>,10244,1,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38218; reference:cve,2009-2949; classtype:attempted-user; sid:18537; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"xsl|3A|stylesheet",fast_pattern,nocase; content:"crypto|3A|rc4_",nocase; pcre:"/^(encrypt|decrypt)\x28\x27[^\x27]{129}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14039; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Video Spirit visprj buffer overflow"; flow:established,to_client; flowbits:isset,file.visprj; file_data; content:"valitem",nocase; pcre:"/<\s*valitem[^>]*\s(value|name)\s*=\s*([\x22\x27])[^\x22\x27]{104}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0499; classtype:attempted-user; sid:20889; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 12 00 01 00 01 00 00 00 01 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15693; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"P|3B|"; pcre:"/(^P\x3B[^\x3B]*\x0D\x0A){200}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,48161; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19911; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ACD Systems ACDSee Products XBM file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"|23|define"; content:"|5F|width",distance 0; pcre:"/\x23define\s*(?=[\S]{57})\S*\x5Fwidth/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,37685; reference:url,osvdb.org/show/osvdb/63643; classtype:attempted-user; sid:17238; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|pathl",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|name",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"8|3A|announce",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"7|3A|comment",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hpj; file_data; content:"[OPTIONS]"; content:"HLP",distance 0,nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,22135; reference:cve,2007-0427; classtype:attempted-user; sid:17366; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24272; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,36,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24273; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24277; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24278; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24279; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|",within 20,distance 192; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24280; rev:2; )
+alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"FILE-OTHER Microsoft LNK shortcut arbitary dll load attempt"; flow:to_client,established; content:"|FF|SMB",depth 4,offset 4; content:"|00 00 00 00|",within 4,distance 1; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:19290; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:17042; rev:9; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:24500; rev:2; )
+alert tcp $HOME_NET 445 -> $HOME_NET any ( msg:"FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt"; flow:to_client,established; content:"i|00|b|00|f|00|s|00|3|00|2|00|.|00|d|00|l|00|l|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2010-3150; reference:url,osvdb.org/show/osvdb/67554; classtype:attempted-user; sid:18530; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|",distance 0; content:"|00 02|",within 2,distance 4; content:"|FF FF 00 00 00 00|",within 6,distance 6; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24649; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|",distance 0; content:"|00 02|",within 2,distance 4; content:"|FF FF 00 00 00 00|",within 6,distance 6; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24650; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2030; classtype:denial-of-service; sid:24702; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2030; classtype:denial-of-service; sid:24703; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>|0A|",depth 30,offset 15; content:"<SymbolicSchematicData>|0A|",distance 0; content:"<Symbol>",distance 0; content:"<Value>",distance 0; isdataat:96,relative; content:!"</Value>",within 96; metadata:policy balanced-ips drop; service:http, imap, pop3; reference:cve,2012-2915; classtype:attempted-user; sid:25247; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>|0A|",depth 30,offset 15; content:"<SymbolicSchematicData>|0A|",distance 0; content:"<Symbol>",distance 0; content:"<Value>",distance 0; isdataat:96,relative; content:!"</Value>",within 96; metadata:policy balanced-ips drop; service:smtp; reference:cve,2012-2915; classtype:attempted-user; sid:25248; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; file_data; http_header; content:"Content-Length|3A|"; pcre:"/^Content-Length\x3a\s*0*([1-9][0-9]{8}|[7-9][0-9]{8})/mi"; pkt_data; content:"<?xml ",depth 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25270; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER MSXML dynamic pointer casting arbitrary code execution attempt"; flow:to_client,established; file_data; content:"//doesnotexist[position|28 29| != 3]"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25275; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Cisco WebEx player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|FF 7F 25 00 88 03 8C 02 CC 7C 01 00 00 00 00 00 FD 7E 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-4004; classtype:attempted-user; sid:25341; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Csound hetro audio file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csd; file_data; content:"|81 C4 54 F2 FF FF|"; content:"|46 54 95 6E|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0270; classtype:attempted-user; sid:25607; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Csound hetro audio file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csd; file_data; content:"|81 C4 54 F2 FF FF|"; content:"|46 54 95 6E|"; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:cve,2012-0270; classtype:attempted-user; sid:25608; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_server,established; file_data; content:"|7F|ELF",depth 4; content:"|4A 46 49 46|",within 4,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:25633; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:" EMF",within 4,distance 36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|",within 12,distance -8; content:"F|00 00 00|",distance 0; content:"|08|@|00 06|",within 4,distance 12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"rcsL",nocase; byte_test:1,>,127,76,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2867; classtype:attempted-user; sid:26027; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|",within 4,distance 203; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:26028; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-2873; classtype:attempted-user; sid:26029; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Known malicious jar archive download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ImAlpha$MyColorSpace.classPK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58238; reference:cve,2013-1493; classtype:attempted-admin; sid:26030; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|E5 05 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39 00 00 00 01 00 70 F2|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:17633; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt"; flow:to_server,established; http_uri; content:"ibfs32.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3150; reference:url,osvdb.org/show/osvdb/67554; classtype:attempted-user; sid:18529; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Wireshark DECT packet dissector overflow attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1 02 00 04 00|",depth 8; byte_test:4,>,1499,36,little; content:"|FF FF FF FF FF FF 00 00 00 00 00 00 23 23|",depth 14,offset 40,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,47392; reference:cve,2011-1591; reference:url,osvdb.org/show/osvdb/71848; classtype:attempted-user; sid:20431; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|",distance 0; isdataat:256,relative; content:!"|22|",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; file_data; content:"OrbitalFileV1.0|0D 0A|",nocase; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|",depth 12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit"; flow:to_client,established; http_header; content:"application/java-deployment-toolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16550; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin"; flow:to_client,established; http_header; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16549; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"ServerSize=",distance 0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"HostSize=",distance 0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon unicode OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C 00|o|00|p|00|m|00|l|00|",nocase; content:"|3C 00|o|00|u|00|t|00|l|00|i|00|n|00|e|00|",distance 0,nocase; pcre:"/[^\x3E]*?t\x00e\x00x\x00t\x00(\s\x00)*\x3D\x00(\s\x00)*(\x27\x00(?!(..){0,500}\x27\x00)|\x22\x00(?!(..){0,500}\x22\x00)|(?!(..){0,500}\s\x00))/isOR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17105; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml",nocase; content:"|3C|outline",distance 0,nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]",depth 9; content:"INDEX 1=",distance 0; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version",depth 41; content:"cell[0].images[0].image=",distance 0; isdataat:512,relative; content:!"|0A|",within 512; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|",depth 22; content:"Computer=",distance 0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV antivirus CHM file handling DOS"; flow:to_client,established; file_data; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|",within 16,distance 36; content:"ITSP",distance 0; byte_test:4,<,8,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30994; reference:cve,2008-1389; reference:url,sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661; classtype:attempted-dos; sid:17602; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV libclamav PE file handling integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; isdataat:288,relative; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|",within 20,distance 288; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0318; classtype:attempted-user; sid:17305; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16731; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 47 3E 34 CB 58 A7 A2 F5 3F D0 B9 1B CA 20 05 7E 6D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26648; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 43 FF F1 02 3B 02 D8 00 25 00 00 01 32 35 34 26 23 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26649; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27166; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27167; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.hlp; file_data; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27168; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19648; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19647; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19646; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_client,established; file_data; content:"EmbeddedFile",nocase; content:"3C7064663E",distance 0,nocase; content:"3C2F7064663E",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/Launch",within 100,fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP colors used integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream",nocase; content:"BM",within 20; content:"|00 00 00 00|",within 4,distance 4; content:"|28 00 00 00|",within 4,distance 4; byte_test:4,>,0x1FFFFFFF,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20921; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jp2c|FF 4F|"; content:"|FF 5E 00|",distance 0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:18801; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17214; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17215; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader icc mluc interger overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,43729; reference:cve,2010-3622; classtype:attempted-user; sid:18308; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader invalid PDF JavaScript extension call"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"printSeps"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-4091; reference:url,www.adobe.com/support/security/bulletins/apsb10-28.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-admin; sid:18102; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader PDF subroutine pointer attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|90 90 90 E8 00 00 00 00 5B 90 66 C7 03 EB FE|"; content:"RICN"; content:"AR07",within 6; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-5857; classtype:attempted-user; sid:21765; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader doc.export arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".export",nocase; pcre:"/\x2eexport(AsFDF|AsText|AsXFDF|DataObject|XFAData)\x28[^\x2c\x29]*\x2c[^\x2c\x29]*\x2c[^\x29]+\x2eexe/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2993; classtype:attempted-user; sid:16324; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"qwe123",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:21583; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf - new pdf exploit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"NEW PDF EXPLOIT"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21431; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_client, established; flowbits:isset, file.pdf; file_data; content:"%PDF-1."; content:"=new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0188; classtype:attempted-user; sid:21429; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; classtype:trojan-activity; sid:21417; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2994; classtype:attempted-user; sid:16325; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader U3D rgba parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 72 67 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18457; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 00 00 00 28 00 00 00 AB AA AA 0A 40 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20171; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 0B 00 00 12 0B 00 00 00 01 00 00 00 01 00 00 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20170; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 00 00 C4 0E 00 00 00 40 00 00 00 00 00 00 58 58 58 58 58|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20169; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 01 41 41 41 01 41 41 41 01|",within 10,distance 11; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2435; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20148; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 E0 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2434; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20147; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 10 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2433; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20145; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader ICC ProfileDescriptionTag overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CE 00 07 00 09 00 12 00 04 00 33 64 65 73 63 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2097; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19255; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed U3D texture continuation integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C FF FF FF 0C 00 00 00 00 00 00 00 08 00 54 65 78 74 75|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2096; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19248; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|",within 48,distance 112; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:18585; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17472; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17471; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF BitDefender Antivirus PDF processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|",depth 16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|",within 40,distance 8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|",within 45,distance 22; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,32396; reference:cve,2008-5409; classtype:attempted-user; sid:17430; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:16490; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Foxit Reader createDataObject file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createDataObject",nocase; pcre:"/^\s*\x5C?\x28\s*[\x22\x27][a-z]\x3A[\x2F\x5C]/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/71104; reference:url,scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html; classtype:attempted-user; sid:21254; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript submitform memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; pcre:"/submitForm\s*\x28[^\x3b]+cURL\s*\x3a\s*[\x22\x27]\s*url\s*\x3a\s*(?!https?)[^\x27\x22\x23]*?\x23/ims"; isdataat:50; content:!"bGet",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-4371; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20998; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshDeceleration code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"|31 FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,200,12,relative,little; content:"|3C FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,200,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3953; classtype:attempted-user; sid:20429; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader oversized object width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/width",nocase; byte_test:7,>,1000000,1,relative,string; content:"/DCTDecode",distance 0,nocase; pcre:"/\x2fwidth[^\x3e]+\x2fDCTDecode/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2980; classtype:attempted-user; sid:16322; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshContinuation code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"1|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,16777216,12,relative,little; content:"<|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,16777215,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,36665; reference:cve,2009-2990; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:16373; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader File containing Flash use-after-free attack attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16633; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader sandbox disable attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 84 05 8D 81 80 08 FF E3 A1 87 05 EA 88 A8 83 05 DE 8B B6 04 EA 80 80 08 D6 8B B6 04 99 D0 81 D0 06 EA 80 08 EA 80 A8 03 81 8A B6 04 D0 80 80|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1353; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20162; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader javascript in PDF go-to actions exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /GoToR"; content:"/F |28|javascript:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2101; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19254; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader shell metacharacter code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"begin|20|",depth 6; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18527; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|",distance 0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|",within 4; byte_test:1,>,16,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35274; reference:bugtraq,35289; reference:cve,2009-1859; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:15562; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; content:"setTimeout|28 22|doSpray|28 29 22|,2500|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16323; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.removeStateModel denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|x00|5C|x00|5C|x00|5C|x00",nocase; content:"Collab.removeStateModel",nocase; pcre:"/var\s*(\w+)\s*\x3D\s*\x22\x5Cx00\x5Cx00\x5Cx00\x5Cx00.*\x22.*Collab\x2EremoveStateModel\s*\x28\s*\1.*\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2988; classtype:attempted-user; sid:16175; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.addStateModel remote corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.addStateModel",nocase; content:"cname",nocase; content:"00",within 15,distance 2,nocase; pcre:"/Collab\x2EaddStateModel\s*\x28\s*\x7B.*cName\s*\x3A\s*\x22(\x22|\x5Cx00)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2996; classtype:attempted-user; sid:16176; rev:9; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader CoolType.dll remote memory corruption denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C C5 97 4D 4B C4 30 10 86 EF 85 FE 87 39 26 87 CD 26 33|"; content:"|AC 6D EE D5 DD 46 CF 88 D4 87 76 9D 7A D7 B3 A0 40 63 A7 6E F4 2C AA 27 8D A4 5E 35 59 B5 9B E3|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,41130; reference:cve,2010-2204; classtype:attempted-dos; sid:16801; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible Adobe Reader ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:11; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader BMP color unused corruption"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6D 70 29 3E 3E 0A 65 6E 64 6F 62 6A 0A 32 30 20 30 20 6F 62 6A 0A 3C 3C 2F 53 75 62 74 79 70 65 2F 69 6D 61 67 65 23 32 66 62 6D 70 3E 3E 73 74 72 65 61 6D 0A 42 4D 80 07 00 00 00 00 00 00 76 00 00 00 28 00 00 00 01 00 00 00 01 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-4372; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20919; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D file include overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CDF1048AB8979121691236CBF4378433"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2094; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19250; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F|Subtype|2F|U3D|2F|Length",nocase; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2|"; content:"|95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|",within 16; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,35282; reference:cve,2009-1855; classtype:attempted-user; sid:17526; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:17288; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat XML entity escape attempt"; flow:to_client,established; file_data; content:"<|21|ENTITY",nocase; content:"SYSTEM",within 50,nocase; content:"http|3A 2F 2F|",within 50,nocase; content:"http|3A 2F 2F|",within 500,nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F[^>\s]+http\x3A\x2F\x2F/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0604; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18456; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader malicious language.engtesselate.ln file download attempt"; flow:to_client,established; flowbits:isset,file.engtesselate; file_data; content:"2="; isdataat:255,relative; content:!"|0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2095; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19253; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|k|01 00 00|k|01 00 00 D5 02 00 00 BF 85|]K|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2998; classtype:attempted-user; sid:16173; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation off by one index attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 08 00 00 00|ABCD"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-3458; classtype:attempted-user; sid:16174; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D line set heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"7|FF FF FF|h|00 00 00 00 00 00 00 06 00|Box_92|00 00 00 00 00 00 00 00 04 05 00 00| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-2997; classtype:attempted-user; sid:16172; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:17233; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|",within 48,distance 316; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:16664; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader shell metacharacter code execution attempt"; flow:to_server,established; flowbits:isset,smtp.contenttype.attachment; content:"begin|20|"; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18526; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader/Acrobat Pro CFF font parsing heap overflow attempt"; flow:to_client,established; file_data; content:"6SC.Pseudo.Font.1|00 00 01 01 87|T|01 01 FF|T|00|V|02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1241; classtype:attempted-user; sid:16546; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious PDF detection - qweqwe="; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"><qwe qweqwe="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:22941; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20100829161936"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:23043; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20120421195855"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:23044; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - Title"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Title (0aktEPbG1LcQ9f6d8l32m7gI5eY4)>>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:23045; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown Malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Creator(sli)/ModDate(D:20080817171147-07|27|00|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:23140; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1297; classtype:attempted-user; sid:23263; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23502; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23503; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:23506; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:23507; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader File containing Flash use-after-free attack attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23510; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_server,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|",within 48,distance 316; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23511; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23512; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23513; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23514; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23515; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/Launch",within 100,fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23516; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23517; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23518; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0188; classtype:attempted-user; sid:23521; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23523; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23524; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1525; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23611; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23612; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",depth 7; content:"<</Creator(",distance 0,nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:23851; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",depth 7; content:"<</Creator(",distance 0,nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:23852; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23868; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader invalid inline image attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23869; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23874; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23875; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; content:"|14 FF FF FF|"; content:"|55 FF FF FF|",distance 0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|",within 4,distance 4; byte_test:2,>,0x260,4,relative,little; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23879; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; content:"|14 FF FF FF|"; content:"|55 FF FF FF|",distance 0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|",within 4,distance 4; byte_test:2,>,0x260,4,relative,little; metadata:policy balanced-ips alert,policy security-ips drop; service:smtp; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23880; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|",nocase; content:"/Subtype/RichMedia",distance 0,nocase; content:"getAnnotsRichMedia|28|"; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4147; classtype:attempted-dos; sid:23881; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|",nocase; content:"/Subtype/RichMedia",distance 0,nocase; content:"getAnnotsRichMedia|28|"; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4147; classtype:attempted-dos; sid:23882; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23889; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23890; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23891; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23892; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|",within 1000; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0195; reference:url,www.cups.org/str.php?L3129; classtype:attempted-user; sid:17641; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_client,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24148; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_server,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24149; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24152; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24153; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate("; isdataat:500,relative; content:")>>",distance 0; pcre:"/\/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:misc-activity; sid:24263; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_server,established; flowbits:isset,file.pdf; content:"/CreationDate("; isdataat:500,relative; content:")>>",distance 0; pcre:"/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; classtype:misc-activity; sid:24264; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24625; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24626; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Filter",nocase; content:"/Standard",within 15,fast_pattern,nocase; content:"/Length",within 15,nocase; byte_test:10,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24763; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Filter",nocase; content:"/Standard",within 15,fast_pattern,nocase; content:"/Length",within 15,nocase; byte_test:10,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24764; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf",distance 0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop; service:http, imap, pop3; reference:cve,2013-0604; classtype:attempted-user; sid:25461; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf",distance 0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop; service:smtp; reference:cve,2013-0604; classtype:attempted-user; sid:25463; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25467; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25469; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:25475; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|",distance 0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|",within 4; byte_test:1,>,16,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,35274; reference:bugtraq,35289; reference:cve,2009-1859; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:25767; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader known malicious variable exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction "; content:"/JS ",within 100; content:"ROP_ADD_ESP_4 = "; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,osvdb.org/show/osvdb/90169; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25818; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader known malicious variable exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction "; content:"/JS ",within 100; content:"|5C|n",within 10; content:"|3B 5C|n",within 30,fast_pattern; content:"|5C|n",within 50; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,osvdb.org/show/osvdb/90169; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25819; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader XML Java used in app.setTimeOut"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.setTimeOut"; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:26021; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_server,established; file_data; content:"EmbeddedFile",nocase; content:"3C7064663E",distance 0,nocase; content:"3C2F7064663E",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26079; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|",within 48,distance 112; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26113; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF version 1.1 with FlateDecode embedded - seen in exploit kits"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.1"; content:"/FlateDecode",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26231; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)",fast_pattern; content:"RegEx",within 100,distance -100; pcre:"/^p?\s*\x5c\([^\x3b]*?\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)/Rims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-2550; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26650; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26651; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26652; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/La",within 100,nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26661; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/La",within 100,nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26662; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader dll injection sandbox escape"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 6F 05 00 00 68 01 00 00 80 89 54 24 40 FF 54 24 4C 83 EC 0C 68 E0 01 00 00 8D 44 24 68 50 6A 00 6A 00 68 A9 05 00 00 FF B4 24 78 10 00 00 FF 54 24 50 68 C5 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-2730; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26694; rev:2; )
 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows 7/Server 2008R2"; flow:established; content:"Microsoft Windows",depth 18; content:"Copyright |28|c|29| 2009",distance 0; content:"Microsoft Corporation",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18756; rev:4; )
 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows Vista"; flow:established; content:"Microsoft Windows",depth 18; content:"Copyright |28|c|29| 2006",distance 0; content:"Microsoft Corporation",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18757; rev:3; )
 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows",depth 18; content:"|28|C|29| Copyright 1985-",distance 0; content:"Microsoft Corp.",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:7; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; classtype:successful-user; sid:2412; rev:8; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE hex-encoded create_function detected"; flow:to_client,established; file_data; content:"|5C|x63|5C|x72|5C|x65|5C|x61|5C|x74|5C|x65|5C|x5f|5C|x66|5C|x75|5C|x6e|5C|x63|5C|x74|5C|x69|5C|x6f|5C|x6e"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:22098; rev:1; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Win32.Virut web propagation detection"; flow:to_client,established; file_data; content:"<iframe"; content:".pl/rc/",distance 0,fast_pattern; pcre:"/\x3ciframe[^\x3e]*?src\x3d\x22http\x3a\x2f\x2f[^\x26\x2e]+\x26\x2346\x3b[^\x2e]+\x2epl\x2frc\x2f\x22/"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips alert,service http; reference:url,securelist.com/en/analysis/204792122/; classtype:trojan-activity; sid:22940; rev:1; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23829; rev:1; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23830; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ehtml?(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:web-application-attack; sid:23171; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for php file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ephp(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:web-application-attack; sid:21941; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE base64-encoded c99shell download"; flow:to_client,established; file_data; content:"KioNCioNCioJCQkJCWM5OXNoZWxsLnBocCB2"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:trojan-activity; sid:23016; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell"; flow:to_client, established; file_data; content:"WSO"; content:"toolsTbl"; content:"toolsInp"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21117; rev:2; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell security information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'SecInfo'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21118; rev:2; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive file system information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'FilesMan'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21119; rev:2; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive console display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Console'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21120; rev:2; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive SQL display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Sql'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21121; rev:2; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell"; flow:to_client,established; file_data; content:"<title>MulCiShell"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21129; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell enumeration page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enumerated shell link:"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21130; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell domain lookup page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enter any Domain-name to lookup"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21131; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell sql interaction page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Host:"; content:"Username:",distance 0; content:"Password:",distance 0; content:"Port:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21132; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell encoder page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Encrypt"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21133; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security information page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"PHP Version"; content:"Safe mode",distance 0; content:"Magic_Quotes",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21134; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell password cracking page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Password crackers"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21135; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security bypass page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Security (open_basedir) bypassers"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21136; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell tools page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Port scanner"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21137; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell database parsing page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Database parser"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21138; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell spread shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"[ Kill Shell ]"; content:"This tool will attempt to copy the shell into every writable director",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21139; rev:3; )
-alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell kill shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Do you *really* want to kill the shell?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21140; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Java user-agent request to svchost.jpg"; flow:to_server,established; http_uri; content:"/svchost.jpg"; http_header; content:"Java/1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1493; classtype:trojan-activity; sid:26025; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE BeEF javascript hook.js download attempt"; flow:to_client,established; file_data; content:"beef.onpopstate.push(function(event)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:23107; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; http_header; content:"/index.php?"; pcre:"/^Location:\s*?https?\x3a\x2f{2}[0-9a-f]{16}[^/]+?\/index.php\?[a-z]=[^&\r\n]{100}/im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt"; flow:to_server,established; http_uri; bufferlen:>150; content:"/index.php?"; http_header; content:"Host:",nocase; pcre:"/^Host:\s*?[a-f0-9]{16}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26530; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php",within 100; content:"</iframe>",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; http_header; content:"User-Agent|3A| SEX|2F|1"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"POST"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21580; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21579; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21578; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21577; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|",within 1000; content:".charCodeAt|28|",within 100; content:".replace",within 100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:17111; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"e|00|v|00|a|00|l|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22071; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22072; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22073; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22074; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23085; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23086; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23087; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:"<qwe qweqwe=|27|asd|27|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23088; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1</",distance 0; pcre:"/\x3c(?P<string>\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23089; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|",nocase; content:"gzinflate|28|",within 25,nocase; content:"base64_decode|28|",within 25,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23113.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23113; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a",depth 6,nocase; content:"<?php",within 100,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23114.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23114; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23160; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23161; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:misc-activity; sid:23226; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; content:"|7C|fromCharCode|7C|",nocase; content:"|7C|charCodeAt|7C|",distance 0,nocase; content:"|7C|eval|7C|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23636.txt; classtype:trojan-activity; sid:23636; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded uri data object found"; flow:to_client,established; file_data; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%77%61%69%74%66%6f%72%20%64%65%6c%61%79"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-attack; sid:21780; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%55%4e%49%4f%4e%20%53%45%4c%45%43%54"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-attack; sid:21781; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; http_client_body; content:"%3C%73%63%72%69%70%74%3E"; metadata:policy balanced-ips alert,policy security-ips alert,service http; classtype:web-application-attack; sid:21783; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; http_client_body; content:"|26 23|x3c|3B 26 23|x73|3B 26 23|x63|3B 26 23|x72|3B 26 23|x69|3B 26 23|x70|3B 26 23|x74|3B 26 23|x3e|3B|"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:web-application-attack; sid:21784; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; http_client_body; content:"%65%73%63%61%70%65%28"; metadata:policy balanced-ips alert,policy security-ips alert,service http; classtype:web-application-attack; sid:21786; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; http_client_body; content:"|26 23|x65|3B 26 23|x73|3B 26 23|x63|3B 26 23|x61|3B 26 23|x70|3B 26 23|x65|3B 26 23|x28"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:web-application-attack; sid:21787; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION document write of unescaped value with remote script"; flow:to_client,established; file_data; content:"document.write|28|unescape|28 27|%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:24167; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits"; flow:to_client,established; file_data; content:"|22|doc|22 2B 22|ument|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25592; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"GET"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:25783; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages"; flow:to_client,established; file_data; content:"|22|f|22|+|22|ro|22|+|22|mCh|22|+|22|arCode|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26092; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION String.fromCharCode concatenation"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harCode|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26101; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits"; flow:to_client,established; file_data; content:"|88 54 68 25 DA 20 70 FE C5 67 72 ED C3 20 63 ED C6 6E 6F F8 88 62 65 AC DA 75 6E AC BF 6E 20 10 E6 53 20 E1 C5 64 65 FA A3 0D 0A E8 A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26352; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_client,established; file_data; content:"location.search.substring|28|1|29|",nocase; content:".charCodeAt|28|",within 200; pcre:"/var\s+(\w+)\s*=\s*location\.search\.substring\(1\).{1,200}\1\.charCodeAt\(i\x25\1\.length\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:18239; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"JXU0MTQxJXU0MTQxJXU0MTQx"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26565; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"NDE0MSV1NDE0MSV1NDE0"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26566; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"dTQxNDEldTQxNDEldTQxNDEK"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26567; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|getEl|22|+|22|eme|22|+|22|ntsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27073; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|g|22|+|22|e|22|+|22|tEleme|22|+|22|nts|22|+|22|ByTagName|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27074; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harC|22|+|22|o|22|+|22|de|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:27272; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split"; flow:to_client,established; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:27593; rev:1; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE hex-encoded create_function detected"; flow:to_client,established; file_data; content:"|5C|x63|5C|x72|5C|x65|5C|x61|5C|x74|5C|x65|5C|x5f|5C|x66|5C|x75|5C|x6e|5C|x63|5C|x74|5C|x69|5C|x6f|5C|x6e"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:22098; rev:1; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Win32.Virut web propagation detection"; flow:to_client,established; file_data; content:"<iframe"; content:".pl/rc/",distance 0,fast_pattern; pcre:"/\x3ciframe[^\x3e]*?src\x3d\x22http\x3a\x2f\x2f[^\x26\x2e]+\x26\x2346\x3b[^\x2e]+\x2epl\x2frc\x2f\x22/"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips alert; service:http; reference:url,securelist.com/en/analysis/204792122/; classtype:trojan-activity; sid:22940; rev:1; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:23829; rev:1; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:23830; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ehtml?(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:web-application-attack; sid:23171; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for php file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ephp(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:web-application-attack; sid:21941; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE base64-encoded c99shell download"; flow:to_client,established; file_data; content:"KioNCioNCioJCQkJCWM5OXNoZWxsLnBocCB2"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:trojan-activity; sid:23016; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell"; flow:to_client, established; file_data; content:"WSO"; content:"toolsTbl"; content:"toolsInp"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21117; rev:2; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell security information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'SecInfo'"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21118; rev:2; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive file system information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'FilesMan'"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21119; rev:2; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive console display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Console'"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21120; rev:2; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive SQL display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Sql'"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21121; rev:2; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell"; flow:to_client,established; file_data; content:"<title>MulCiShell"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21129; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell enumeration page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enumerated shell link:"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21130; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell domain lookup page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enter any Domain-name to lookup"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21131; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell sql interaction page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Host:"; content:"Username:",distance 0; content:"Password:",distance 0; content:"Port:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21132; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell encoder page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Encrypt"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21133; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security information page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"PHP Version"; content:"Safe mode",distance 0; content:"Magic_Quotes",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21134; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell password cracking page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Password crackers"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21135; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security bypass page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Security (open_basedir) bypassers"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21136; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell tools page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Port scanner"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21137; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell database parsing page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Database parser"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21138; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell spread shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"[ Kill Shell ]"; content:"This tool will attempt to copy the shell into every writable director",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21139; rev:3; )
+alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell kill shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Do you *really* want to kill the shell?"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21140; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Java user-agent request to svchost.jpg"; flow:to_server,established; http_uri; content:"/svchost.jpg"; http_header; content:"Java/1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1493; classtype:trojan-activity; sid:26025; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE BeEF javascript hook.js download attempt"; flow:to_client,established; file_data; content:"beef.onpopstate.push(function(event)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:23107; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; http_header; content:"/index.php?"; pcre:"/^Location:\s*?https?\x3a\x2f{2}[0-9a-f]{16}[^/]+?\/index.php\?[a-z]=[^&\r\n]{100}/im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt"; flow:to_server,established; http_uri; bufferlen:>150; content:"/index.php?"; http_header; content:"Host:",nocase; pcre:"/^Host:\s*?[a-f0-9]{16}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26530; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php",within 100; content:"</iframe>",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; http_header; content:"User-Agent|3A| SEX|2F|1"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"POST"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21580; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21579; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21578; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:21577; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|",within 1000; content:".charCodeAt|28|",within 100; content:".replace",within 100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:17111; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"e|00|v|00|a|00|l|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:22071; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:22072; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:22073; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:22074; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:bad-unknown; sid:23085; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:bad-unknown; sid:23086; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:bad-unknown; sid:23087; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:"<qwe qweqwe=|27|asd|27|/>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:bad-unknown; sid:23088; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1</",distance 0; pcre:"/\x3c(?P<string>\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:bad-unknown; sid:23089; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|",nocase; content:"gzinflate|28|",within 25,nocase; content:"base64_decode|28|",within 25,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:url,labs.snort.org/docs/23113.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23113; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a",depth 6,nocase; content:"<?php",within 100,nocase; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; reference:url,labs.snort.org/docs/23114.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23114; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:23160; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:23161; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:misc-activity; sid:23226; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; content:"|7C|fromCharCode|7C|",nocase; content:"|7C|charCodeAt|7C|",distance 0,nocase; content:"|7C|eval|7C|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; reference:url,labs.snort.org/docs/23636.txt; classtype:trojan-activity; sid:23636; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded uri data object found"; flow:to_client,established; file_data; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%77%61%69%74%66%6f%72%20%64%65%6c%61%79"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:misc-attack; sid:21780; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt"; flow:to_server,established; http_client_body; content:"%55%4e%49%4f%4e%20%53%45%4c%45%43%54"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:misc-attack; sid:21781; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; http_client_body; content:"%3C%73%63%72%69%70%74%3E"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; classtype:web-application-attack; sid:21783; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; http_client_body; content:"|26 23|x3c|3B 26 23|x73|3B 26 23|x63|3B 26 23|x72|3B 26 23|x69|3B 26 23|x70|3B 26 23|x74|3B 26 23|x3e|3B|"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:web-application-attack; sid:21784; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; http_client_body; content:"%65%73%63%61%70%65%28"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; classtype:web-application-attack; sid:21786; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; http_client_body; content:"|26 23|x65|3B 26 23|x73|3B 26 23|x63|3B 26 23|x61|3B 26 23|x70|3B 26 23|x65|3B 26 23|x28"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:web-application-attack; sid:21787; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION document write of unescaped value with remote script"; flow:to_client,established; file_data; content:"document.write|28|unescape|28 27|%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F"; metadata:policy balanced-ips alert,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:24167; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits"; flow:to_client,established; file_data; content:"|22|doc|22 2B 22|ument|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:25592; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"GET"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:25783; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages"; flow:to_client,established; file_data; content:"|22|f|22|+|22|ro|22|+|22|mCh|22|+|22|arCode|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26092; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION String.fromCharCode concatenation"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harCode|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26101; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits"; flow:to_client,established; file_data; content:"|88 54 68 25 DA 20 70 FE C5 67 72 ED C3 20 63 ED C6 6E 6F F8 88 62 65 AC DA 75 6E AC BF 6E 20 10 E6 53 20 E1 C5 64 65 FA A3 0D 0A E8 A8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26352; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_client,established; file_data; content:"location.search.substring|28|1|29|",nocase; content:".charCodeAt|28|",within 200; pcre:"/var\s+(\w+)\s*=\s*location\.search\.substring\(1\).{1,200}\1\.charCodeAt\(i\x25\1\.length\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:18239; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"JXU0MTQxJXU0MTQxJXU0MTQx"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:26565; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"NDE0MSV1NDE0MSV1NDE0"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:26566; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"dTQxNDEldTQxNDEldTQxNDEK"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:trojan-activity; sid:26567; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|getEl|22|+|22|eme|22|+|22|ntsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27073; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|g|22|+|22|e|22|+|22|tEleme|22|+|22|nts|22|+|22|ByTagName|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27074; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harC|22|+|22|o|22|+|22|de|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:attempted-user; sid:27272; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split"; flow:to_client,established; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:27593; rev:1; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"INDICATOR-SHELLCODE x86 win2k-2k3 decoder base shellcode"; flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|",within 2,distance 4; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; classtype:attempted-user; sid:15902; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"INDICATOR-SHELLCODE x86 win2k-2k3 decoder base shellcode"; flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|",within 2,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; classtype:attempted-user; sid:15902; rev:3; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder"; content:"|D9 EE D9 74 24 F4|"; content:"|81|",distance 1; content:"|13|",distance 1; content:"|83|",distance 1; content:"|FC E2 F4|",distance 1; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17322; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped"; content:"unescape"; content:"%ud9ee%u2474%u"; content:"%uf4e2",distance 18; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17323; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 Linux reverse connect shellcode"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17324; rev:2; )
@@ -2490,8 +2490,8 @@ alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS ag
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17343; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic xor dword decoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|",distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17344; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17345; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode",nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:shellcode-detect; sid:17392; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray",nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:shellcode-detect; sid:17393; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode",nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:shellcode-detect; sid:17392; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray",nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; classtype:shellcode-detect; sid:17393; rev:6; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic single-byte xor countodwn encoder"; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19281; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic cpuid-based context keyed encoder"; content:"|31 F6 31 FF 89 F8 31 C9 0F A2 31 C6 39 F0 75 03 8D 78 01 31|"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19282; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic stat-based context keyed encoder"; content:"|D9 EE D9 74 24 F4 5B|",fast_pattern; byte_jump:1,1,relative; content:"|83 C3 09 8D 53|",within 5; content:"|31 C0 88 02 8D 4C 24 A8|",within 8,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19283; rev:2; )
@@ -2500,7 +2500,7 @@ alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS ag
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode uppercase encoder"; content:"1AYAZBABABABAB30APB944JB"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19286; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed encoder"; content:"YAZBABABABABkMAGB9u4JB"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19287; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|",within 9,distance 1,fast_pattern; content:"|03 0C 24 6A 04|",within 5,distance 1; content:"|5F 29 39 03 0C 24|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19288; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:3; )
 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_fs_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_fs_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_fs_(separator|search|file_expand_path|md5|sha1|delete_file|stat|ls|chdir|mkdir|getwd|delete_dir)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20185; rev:2; )
 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_process_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_process_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_process_(thread_open|thread_create|thread_get_threads|image_load|image_get_proc_address|image_unload|image_get_images|memory_allocate|memory_free|memory_read|memory_write|memory_query|memory_protect|memory_lock|memory_unlock|attach|execute|kill|getpid|get_processes|close|wait|get_info|thread_suspend|thread_resume|thread_terminate|thread_query_regs|thread_set_regs|thread_close)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20186; rev:2; )
 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_eventlog_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_eventlog_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_eventlog_(open|numrecords|read|oldest|clear|close)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20187; rev:2; )
@@ -2517,10 +2517,10 @@ alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter e
 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter networkpug_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|networkpug_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01networkpug_(start|stop)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20198; rev:2; )
 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_railgun_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_railgun_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_railgun_(memread|memwrite|api_multi|api)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20199; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic single_static_bit encoder"; content:"|80 F9|"; content:"|74|",within 1,distance 1; content:"|60 83 E9 01 74 06 B3 02 F6 F3 E2|",within 11,distance 1; content:"|83 E0 01 6B 2F 02 09 E8 AA 61 83 ED FF 83 FD 08 75|",within 17,distance 1; content:"|83 EF FF 31 ED|",within 5,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:20989; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:shellcode-detect; sid:23236; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Agent outbound connection"; flow:to_server,established; http_header; content:"Extra-Data-Bind|3A|",nocase; content:"Extra-Data-Space|3A|",nocase; content:"Extra-Data|3A|",nocase; http_uri; pcre:"/^\/\d+$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/4d6c4f5f0525d07b1454283ee1f1a166528f1edc208d10de9d3ce80d021c8fa3/analysis/; classtype:trojan-activity; sid:22095; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:shellcode-detect; sid:23236; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Agent outbound connection"; flow:to_server,established; http_header; content:"Extra-Data-Bind|3A|",nocase; content:"Extra-Data-Space|3A|",nocase; content:"Extra-Data|3A|",nocase; http_uri; pcre:"/^\/\d+$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/4d6c4f5f0525d07b1454283ee1f1a166528f1edc208d10de9d3ce80d021c8fa3/analysis/; classtype:trojan-activity; sid:22095; rev:4; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection"; flow:to_server,established; content:"|A0 00 00 00|",depth 4; content:"|98 00 00 00|",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/latest-report.html?resource=e181424c4fb8bcde4aae154bf3ecb14d; classtype:trojan-activity; sid:23341; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR ToolsPack PHP Backdoor access"; flow:to_server,established; http_uri; content:"plugins/ToolsPack/ToolsPack.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html; classtype:web-application-attack; sid:21550; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR ToolsPack PHP Backdoor access"; flow:to_server,established; http_uri; content:"plugins/ToolsPack/ToolsPack.php"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html; classtype:web-application-attack; sid:21550; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR ghost 2.3 runtime detection"; flow:to_client,established; content:"ver|3A|Ghost version ",depth 18,nocase; content:"server",distance 0,nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053; classtype:trojan-activity; sid:7115; rev:6; )
 alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR donalddick v1.5b3 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.donalddick.1.5.b.3.conn; content:"OK|00|1|00|AF&AY|00|pINg_|00|!|28|c|29 23|",depth 22,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1720; classtype:trojan-activity; sid:7114; rev:6; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 23476 ( msg:"MALWARE-BACKDOOR donalddick v1.5b3 runtime detection"; flow:to_server,established; content:"1|00|AF&AY|00|pINg_|00|!|28|c|29 23|",depth 19,nocase; flowbits:set,backdoor.donalddick.1.5.b.3.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1720; classtype:trojan-activity; sid:7113; rev:8; )
@@ -2537,1020 +2537,1020 @@ alert tcp $HOME_NET 5555 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR serveme ru
 alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client",depth 7; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; classtype:misc-activity; sid:3083; rev:9; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient",depth 9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:9; )
 alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected",depth 9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/AES",fast_pattern,nocase; pcre:"/\/AES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24115; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/AES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24116; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/ZES",fast_pattern,nocase; pcre:"/\/ZES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24117; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/ZES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24118; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/SUS",fast_pattern,nocase; pcre:"/\/SUS\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24119; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/SUS",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24120; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/DES",fast_pattern,nocase; pcre:"/\/DES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24121; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/DES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24122; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.Ransomlock runtime detection"; flow:to_server,established; http_uri; content:"?id="; content:"&cmd=img",within 8,distance 20; pcre:"/\?id=[A-Z0-9]{20}&cmd=img/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f9aafe67d4afe9526c1033fbfc861484105be3f09bdef92d911311f96ed05e4b/analysis; classtype:trojan-activity; sid:24530; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/AES",fast_pattern,nocase; pcre:"/\/AES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24115; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/AES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24116; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/ZES",fast_pattern,nocase; pcre:"/\/ZES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24117; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/ZES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24118; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/SUS",fast_pattern,nocase; pcre:"/\/SUS\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24119; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/SUS",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24120; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/DES",fast_pattern,nocase; pcre:"/\/DES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24121; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/DES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24122; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.Ransomlock runtime detection"; flow:to_server,established; http_uri; content:"?id="; content:"&cmd=img",within 8,distance 20; pcre:"/\?id=[A-Z0-9]{20}&cmd=img/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f9aafe67d4afe9526c1033fbfc861484105be3f09bdef92d911311f96ed05e4b/analysis; classtype:trojan-activity; sid:24530; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16486; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16487; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16488; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:25015; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.GGDoor.22 outbound connection"; flow:to_server,established; http_uri; content:"/appsvc/appmsg4.asp?fmnumber="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=050df1a6cfafab164c7d8c10dd38c6a72145bedde19551a34ae02c0cdde607f1-1243543347; classtype:trojan-activity; sid:19747; rev:8; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Windows vernot download"; flow:to_client,established; content:"|2F|res|2F 7C|1|7C|2|7C|3|7C|4|7C|5|7C|5|7C|5|7C|6|7C|5|7C|7|7C|8|7C|9|7C|10|7C|1|7C|5|7C|11|7C|12|7C|700|7C|"; file_data; content:"|7C 5B|Z/1413617015|7C|com.evernote.edam.type.NoteAttributes/3819593128|7C 5B|B/3308590456|7C|"; content:"&targetUrl=%2FHome.action&targetUrl=%2FHome.action&login=%E7%99%BB%E5%BD%95&_sourcePage="; content:"$_$Today is a very important day for me.$"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/e21921abd435f1523f41a040b8423f123487c1d9e8e5443ee219589ad8235e63/analysis/; classtype:trojan-activity; sid:26328; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|",nocase; content:"UPX!",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"/index.php",nocase; content:"COMPNAME_END",nocase; content:"COMPNAME",within 8,distance 4,nocase; content:"CODE_START",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26610; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"/index.php",nocase; content:"COMPNAME_END",nocase; content:"COMPNAME",within 8,distance 4,nocase; content:"CODE_START",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26611; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd",depth 6; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; http_client_body; content:"macName=",depth 60; content:"&macOS=",within 100; content:"&macMac=",within 200; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26842; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; http_cookie; content:"SECID=",depth 6; http_method; content:"POST"; http_raw_header; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/m"; http_uri; pcre:"/\?[a-f0-9]{4}$/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Trojan.Jokbot variant outbound connection"; flow:to_server,established; content:"USER botnet",depth 11; metadata:policy balanced-ips drop,policy security-ips drop,service ftp; reference:url,www.virustotal.com/file/5BE202BC1BF54ABFB698E4287428932C0E8219FF0822D92801798996418F0509/analysis/; classtype:trojan-activity; sid:22047; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Magania variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Google page|0D 0A|"; http_uri; content:".asp?"; content:"mac=",within 4; content:"&ver=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 ( msg:"MALWARE-CNC Win.Trojan.Hostposer variant outbound connection"; flow:to_server,established; content:"|65 00 78 00 65 00 63 00 20 00 61 00 64 00 64 00 5F 00 61 00 76 00 73 00 28 00 27|"; content:"|27 00 30 00 27 00 2C 00 27 00 30 00 27 00 2C 00 27 00 30 00 27|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service mysql; reference:url,www.virustotal.com/file/8608CC320757256E8AE80DAF8895EC98BB4FDF589F90C79EED74062B497ECF4C/analysis/; classtype:trojan-activity; sid:23978; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Zbot variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:39; http_uri; content:"/?xclzve_"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e11901864208c8468be6433b76f4d038cd298f387c9d61ffeadf5ea9e7402367/analysis/; classtype:trojan-activity; sid:23972; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Crisis outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"|2F|stats|2E|asp|3F|site|3D|actual"; http_header; content:"Content-Length|3A| 112"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C093B72CC249C07725EC3C2EEB1842FE56C8A27358F03778BF5464EBEDDBD43C/analysis/; classtype:trojan-activity; sid:23968; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.C0D0SO0 variant outbound traffic"; flow:to_server,established; content:"POST",depth 4,nocase; content:"/index00",nocase; content:".asp",distance 0,nocase; pcre:"/\/index\d{9}\.asp/i"; metadata:policy balanced-ips drop,policy security-ips drop,service ssl; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:23942; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.Ibabyfa.dldr outbound connection"; flow:to_server,established; content:"- f i r s t  - l o g f i l e"; content:"Username-",within 32,distance 55; content:"Computer Name-",distance 0; content:"Files Copied to",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/latest-report.html?resource=bf25f7588c58cd4b7cc5ac04ebfd00c5; classtype:trojan-activity; sid:23938; rev:4; )
-alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; http_uri; content:"/ajax_modal/modal/data.asp",nocase; content:"&state=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23893; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gauss malware check-in"; flow:to_server,established; http_uri; content:"/userhome.php?sid=",nocase; content:"&uid=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23824; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/was/vas.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/73B6C213C7F5621A760936B5071A3FA43EFA66A94EBF05200D990229F210F0A1/analysis/; classtype:trojan-activity; sid:23778; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi trojan checkin"; flow:to_server,established; http_uri; content:"/viewtopic.php?f=",nocase; http_client_body; content:"user_id=",nocase; content:"version_id=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/a6b6642b2cc6386d71c90c0a6bb27f873e13fa940f8bd568515515471f74b152/analysis/; classtype:trojan-activity; sid:23635; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kegotip variant report to cnc-server"; flow:to_server,established; http_uri; content:"index_get.php"; content:"action=ADD_FTP"; content:"&ftp_host"; content:"&ftp_login"; content:"&ftp_pass"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CC7913E43487D6D3F5373B103441AC76534D7AD611A6E9F8DA45678CD993DBD5/analysis/; classtype:trojan-activity; sid:23633; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pincav variant outbound connection"; flow:to_server,established; http_uri; content:"/Adminweb/news.asp?id=ZGlja3lA"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/73a97de02fb822dcde3e431e89d7458fd241ee8b80e6b907abd5a44c3fea3d39/analysis/; classtype:trojan-activity; sid:23628; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.GGDoor.22 outbound connection"; flow:to_server,established; http_uri; content:"/appsvc/appmsg4.asp?fmnumber="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=050df1a6cfafab164c7d8c10dd38c6a72145bedde19551a34ae02c0cdde607f1-1243543347; classtype:trojan-activity; sid:19747; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Windows vernot download"; flow:to_client,established; content:"|2F|res|2F 7C|1|7C|2|7C|3|7C|4|7C|5|7C|5|7C|5|7C|6|7C|5|7C|7|7C|8|7C|9|7C|10|7C|1|7C|5|7C|11|7C|12|7C|700|7C|"; file_data; content:"|7C 5B|Z/1413617015|7C|com.evernote.edam.type.NoteAttributes/3819593128|7C 5B|B/3308590456|7C|"; content:"&targetUrl=%2FHome.action&targetUrl=%2FHome.action&login=%E7%99%BB%E5%BD%95&_sourcePage="; content:"$_$Today is a very important day for me.$"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/e21921abd435f1523f41a040b8423f123487c1d9e8e5443ee219589ad8235e63/analysis/; classtype:trojan-activity; sid:26328; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|",nocase; content:"UPX!",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"/index.php",nocase; content:"COMPNAME_END",nocase; content:"COMPNAME",within 8,distance 4,nocase; content:"CODE_START",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26610; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"/index.php",nocase; content:"COMPNAME_END",nocase; content:"COMPNAME",within 8,distance 4,nocase; content:"CODE_START",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26611; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd",depth 6; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; http_client_body; content:"macName=",depth 60; content:"&macOS=",within 100; content:"&macMac=",within 200; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26842; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; http_cookie; content:"SECID=",depth 6; http_method; content:"POST"; http_raw_header; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/m"; http_uri; pcre:"/\?[a-f0-9]{4}$/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Trojan.Jokbot variant outbound connection"; flow:to_server,established; content:"USER botnet",depth 11; metadata:policy balanced-ips drop,policy security-ips drop; service:ftp; reference:url,www.virustotal.com/file/5BE202BC1BF54ABFB698E4287428932C0E8219FF0822D92801798996418F0509/analysis/; classtype:trojan-activity; sid:22047; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Magania variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Google page|0D 0A|"; http_uri; content:".asp?"; content:"mac=",within 4; content:"&ver=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 ( msg:"MALWARE-CNC Win.Trojan.Hostposer variant outbound connection"; flow:to_server,established; content:"|65 00 78 00 65 00 63 00 20 00 61 00 64 00 64 00 5F 00 61 00 76 00 73 00 28 00 27|"; content:"|27 00 30 00 27 00 2C 00 27 00 30 00 27 00 2C 00 27 00 30 00 27|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:mysql; reference:url,www.virustotal.com/file/8608CC320757256E8AE80DAF8895EC98BB4FDF589F90C79EED74062B497ECF4C/analysis/; classtype:trojan-activity; sid:23978; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Zbot variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:39; http_uri; content:"/?xclzve_"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/e11901864208c8468be6433b76f4d038cd298f387c9d61ffeadf5ea9e7402367/analysis/; classtype:trojan-activity; sid:23972; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Crisis outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"|2F|stats|2E|asp|3F|site|3D|actual"; http_header; content:"Content-Length|3A| 112"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C093B72CC249C07725EC3C2EEB1842FE56C8A27358F03778BF5464EBEDDBD43C/analysis/; classtype:trojan-activity; sid:23968; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.C0D0SO0 variant outbound traffic"; flow:to_server,established; content:"POST",depth 4,nocase; content:"/index00",nocase; content:".asp",distance 0,nocase; pcre:"/\/index\d{9}\.asp/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:ssl; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:23942; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.Ibabyfa.dldr outbound connection"; flow:to_server,established; content:"- f i r s t  - l o g f i l e"; content:"Username-",within 32,distance 55; content:"Computer Name-",distance 0; content:"Files Copied to",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/latest-report.html?resource=bf25f7588c58cd4b7cc5ac04ebfd00c5; classtype:trojan-activity; sid:23938; rev:4; )
+alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; http_uri; content:"/ajax_modal/modal/data.asp",nocase; content:"&state=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23893; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gauss malware check-in"; flow:to_server,established; http_uri; content:"/userhome.php?sid=",nocase; content:"&uid=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23824; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/was/vas.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/73B6C213C7F5621A760936B5071A3FA43EFA66A94EBF05200D990229F210F0A1/analysis/; classtype:trojan-activity; sid:23778; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi trojan checkin"; flow:to_server,established; http_uri; content:"/viewtopic.php?f=",nocase; http_client_body; content:"user_id=",nocase; content:"version_id=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/a6b6642b2cc6386d71c90c0a6bb27f873e13fa940f8bd568515515471f74b152/analysis/; classtype:trojan-activity; sid:23635; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kegotip variant report to cnc-server"; flow:to_server,established; http_uri; content:"index_get.php"; content:"action=ADD_FTP"; content:"&ftp_host"; content:"&ftp_login"; content:"&ftp_pass"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/CC7913E43487D6D3F5373B103441AC76534D7AD611A6E9F8DA45678CD993DBD5/analysis/; classtype:trojan-activity; sid:23633; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pincav variant outbound connection"; flow:to_server,established; http_uri; content:"/Adminweb/news.asp?id=ZGlja3lA"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/73a97de02fb822dcde3e431e89d7458fd241ee8b80e6b907abd5a44c3fea3d39/analysis/; classtype:trojan-activity; sid:23628; rev:4; )
 alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|",depth 4,offset 4; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:5; )
 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:20; content:"|9E 98|",depth 2,offset 6; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbvoleur.a variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: default"; http_client_body; content:"uid|3D|"; content:"|26|subid|3D|"; content:"|26|torrent_count|3D|"; content:"|26|video_count|3D|"; metadata:impact_flag red,policy balanced-ips drop,service http; reference:url,www.virustotal.com/file/dd616615017e0d5a1a9b126e0294d3cfc026ea0aa76b76354536d24b3c327c47/analysis/; classtype:trojan-activity; sid:23394; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.SpyEye outbound connection"; flow:to_server,established; http_uri; content:"/dataSafer3er/"; http_method; content:"POST"; http_client_body; content:"|8C 69 69 B2|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/09478bf4833505d3d7b66d4f30ccce6b9fde3ea51b9ccf6fdeadc008efba43d8/analysis/; classtype:trojan-activity; sid:23382; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"media/system/js/wp-env.php"; content:"nomepc=",nocase; content:"osName=",nocase; content:"netCard=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B25052ADA8C0B52DBA31993E8FB6DE3609C74D54B262EEC48AC440B4D678ABC7/analysis/; classtype:trojan-activity; sid:23342; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Swisyn outbound connection"; flow:to_server,established; http_uri; content:"?act=login&ver="; content:"&born=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b162604f44fd37bf77b1c043a1b35d7bedde8ff907df4be9276a6d77f36d6242/analysis/; classtype:trojan-activity; sid:23335; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbvoleur.a variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: default"; http_client_body; content:"uid|3D|"; content:"|26|subid|3D|"; content:"|26|torrent_count|3D|"; content:"|26|video_count|3D|"; metadata:impact_flag red,policy balanced-ips drop; service:http; reference:url,www.virustotal.com/file/dd616615017e0d5a1a9b126e0294d3cfc026ea0aa76b76354536d24b3c327c47/analysis/; classtype:trojan-activity; sid:23394; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.SpyEye outbound connection"; flow:to_server,established; http_uri; content:"/dataSafer3er/"; http_method; content:"POST"; http_client_body; content:"|8C 69 69 B2|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/09478bf4833505d3d7b66d4f30ccce6b9fde3ea51b9ccf6fdeadc008efba43d8/analysis/; classtype:trojan-activity; sid:23382; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"media/system/js/wp-env.php"; content:"nomepc=",nocase; content:"osName=",nocase; content:"netCard=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/B25052ADA8C0B52DBA31993E8FB6DE3609C74D54B262EEC48AC440B4D678ABC7/analysis/; classtype:trojan-activity; sid:23342; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Swisyn outbound connection"; flow:to_server,established; http_uri; content:"?act=login&ver="; content:"&born=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b162604f44fd37bf77b1c043a1b35d7bedde8ff907df4be9276a6d77f36d6242/analysis/; classtype:trojan-activity; sid:23335; rev:4; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 2011 ( msg:"MALWARE-CNC Trojan.Downloader initial C&C checkin"; flow:to_server,established; content:"|1A 27 00 00|",depth 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/aaba9f42a76ca25d016d758fbd1dae860df1915eda52f8b8c659243b62110827/analysis/; classtype:trojan-activity; sid:23334; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dishigy outbound connection"; flow:established, to_server; http_method; content:"POST",nocase; http_uri; content:"/bot/diwar.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23332; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper connect to server"; flow:to_server,established; http_uri; content:"gate.php"; http_client_body; content:"{",depth 1; content:"-",within 1,distance 8; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"}|15 00 00 00 00|",within 6,distance 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C021D80C29933C2EF636B765206C83AAFF36CA307F777F09CC26FE864B204ACE/analysis/; classtype:trojan-activity; sid:23307; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Banker outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"|DE AD BE EF|",depth 4,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc; classtype:trojan-activity; sid:23262; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control traffic - Pushbot"; flow:to_server,established; content:"User-Agent|3A| cvc_v105"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:23261; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf.CL variant outbound connection"; flow:to_server,established; http_uri; content:"/support3/script.php"; pcre:"/hwinfo=\x7b[a-f0-9]{8}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{12}\x7d/smi"; http_client_body; content:"name=|22|pwdata|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/4195B3B362342BFA48916C2E9F04C76E0A3B65456D2CAC384128C298E5A7A009/analysis/; classtype:trojan-activity; sid:23254; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"asp?device_t="; content:"&key=",distance 0; content:"&device_id=",distance 0; content:"&cv=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B96DFE55BEF7B1CC30430A1E3F5AE826EE02DDF63582539215E4F634FA6508B9/analysis/; classtype:trojan-activity; sid:23245; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/index.php?r=gate&",nocase; content:"&group=",distance 0,nocase; content:"&debug=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,spamalysis.wordpress.com/2012/04/27/contact-to-the-nearest-post-office/; reference:url,www.virustotal.com/file/1d4e30379346cc784cb29620fbc459d117a0e5221dbbb8ec0873d06a67d57b20/analysis/; reference:url,www.virustotal.com/file/6f87ceaeed3474c0747c5a7da0531459813b4a6fc71d16599917bafbf3386c38/analysis/; reference:url,www.virustotal.com/file/bc26fab87bb48d9e911e0a4557b2a6a1b984e09490baab51aa72ad7576b625af/analysis/; reference:url,www.virustotal.com/file/c398224e76d2c3234765eafd2336d1c9e5f91f3f2abdbfe69f9148d5798a4655/analysis/; classtype:trojan-activity; sid:23244; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.boxg connect to cnc server"; flow:to_server,established; http_uri; content:"/msn/xbox/info.php",nocase; http_client_body; content:"login=cpf",depth 9,nocase; content:"&senha",within 6,distance 30,nocase; content:"Codigo",nocase; content:"Compara",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/415401612cc2261081b8541763d29ccb9ab57bb12f7b35974c33f2352071656e/analysis/; classtype:trojan-activity; sid:23242; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Trojan.Lolbot variant outbound connection"; flow:to_server,established; content:"USER griptoloji"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service ftp; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23109; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:"/ddos?uid=",nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23104; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/was/u.php"; http_header; content:"Content-Length|3A 20|328"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B600D0A5FC596CEEDD377890C93FE4B50F8093F2CE874EF39956E497CC63E544/analysis/; classtype:trojan-activity; sid:23103; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Flame malware connection - /view.php"; flow:to_server,established; http_uri; content:"/view.php?mp=1&",nocase; content:"&pr=1&ec=0&ov=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23057; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_get_host.php?ver="; pkt_data; content:"HTTP/1.0"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22058; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Midhos variant outbound connection"; flow:to_server,established; http_uri; content:"/file/id=AQA"; content:"AAEA",within 4,distance 1; content:"rLhtgiZvmW8",distance 0; content:"&rt=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1671d64f146e97b3ce2a58514f99f91b83214af6f1c679b27f98aa277d909dbd/analysis/; classtype:trojan-activity; sid:22100; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Piroxcc variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/sedo.php"; http_client_body; content:"id=",depth 3; content:"&s5_uidx=",distance 0; content:"&os=",distance 0; content:"&s5=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/349C1AAD74E43C9814CB895B3001FAD5106FBE6450D30B727E9BB7070FDA0D7B/analysis/; classtype:trojan-activity; sid:22099; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Fepgul outbound connection"; flow:to_server,established; http_uri; content:"/SkypeClient.exe"; http_header; content:"skype.tom.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CCCE38CDBE10DCEE205334E58C218B3816787EF80F86A1BA95E0BD719165EFF9/analysis/; classtype:trojan-activity; sid:22060; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/service.php?kind="; content:"pid=",distance 0; content:"prog=",distance 0; content:"addresses=",distance 0; content:"progkind=",distance 0; content:"wv=",distance 0; content:"ee=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/734CF749D5B31EF5AB97374E02B528E0072D86ACD143E69762A9141B08E4D069/analysis/; classtype:trojan-activity; sid:22059; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Prorat variant outbound connection"; flow:to_server,established; http_uri; content:"/mo3tazjordan/server.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3CDE092BD99DF7AAD5A44697E199AF3A90C60DCD15CDA589E5BE75CA1D48B25E/analysis/; classtype:trojan-activity; sid:22054; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dishigy outbound connection"; flow:established, to_server; http_method; content:"POST",nocase; http_uri; content:"/bot/diwar.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:23332; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper connect to server"; flow:to_server,established; http_uri; content:"gate.php"; http_client_body; content:"{",depth 1; content:"-",within 1,distance 8; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"}|15 00 00 00 00|",within 6,distance 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C021D80C29933C2EF636B765206C83AAFF36CA307F777F09CC26FE864B204ACE/analysis/; classtype:trojan-activity; sid:23307; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Banker outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"|DE AD BE EF|",depth 4,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc; classtype:trojan-activity; sid:23262; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control traffic - Pushbot"; flow:to_server,established; content:"User-Agent|3A| cvc_v105"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:23261; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf.CL variant outbound connection"; flow:to_server,established; http_uri; content:"/support3/script.php"; pcre:"/hwinfo=\x7b[a-f0-9]{8}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{12}\x7d/smi"; http_client_body; content:"name=|22|pwdata|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/4195B3B362342BFA48916C2E9F04C76E0A3B65456D2CAC384128C298E5A7A009/analysis/; classtype:trojan-activity; sid:23254; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"asp?device_t="; content:"&key=",distance 0; content:"&device_id=",distance 0; content:"&cv=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/B96DFE55BEF7B1CC30430A1E3F5AE826EE02DDF63582539215E4F634FA6508B9/analysis/; classtype:trojan-activity; sid:23245; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/index.php?r=gate&",nocase; content:"&group=",distance 0,nocase; content:"&debug=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,spamalysis.wordpress.com/2012/04/27/contact-to-the-nearest-post-office/; reference:url,www.virustotal.com/file/1d4e30379346cc784cb29620fbc459d117a0e5221dbbb8ec0873d06a67d57b20/analysis/; reference:url,www.virustotal.com/file/6f87ceaeed3474c0747c5a7da0531459813b4a6fc71d16599917bafbf3386c38/analysis/; reference:url,www.virustotal.com/file/bc26fab87bb48d9e911e0a4557b2a6a1b984e09490baab51aa72ad7576b625af/analysis/; reference:url,www.virustotal.com/file/c398224e76d2c3234765eafd2336d1c9e5f91f3f2abdbfe69f9148d5798a4655/analysis/; classtype:trojan-activity; sid:23244; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.boxg connect to cnc server"; flow:to_server,established; http_uri; content:"/msn/xbox/info.php",nocase; http_client_body; content:"login=cpf",depth 9,nocase; content:"&senha",within 6,distance 30,nocase; content:"Codigo",nocase; content:"Compara",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/415401612cc2261081b8541763d29ccb9ab57bb12f7b35974c33f2352071656e/analysis/; classtype:trojan-activity; sid:23242; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Trojan.Lolbot variant outbound connection"; flow:to_server,established; content:"USER griptoloji"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:ftp; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23109; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:"/ddos?uid=",nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23104; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/was/u.php"; http_header; content:"Content-Length|3A 20|328"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/B600D0A5FC596CEEDD377890C93FE4B50F8093F2CE874EF39956E497CC63E544/analysis/; classtype:trojan-activity; sid:23103; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Flame malware connection - /view.php"; flow:to_server,established; http_uri; content:"/view.php?mp=1&",nocase; content:"&pr=1&ec=0&ov=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23057; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_get_host.php?ver="; pkt_data; content:"HTTP/1.0"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22058; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Midhos variant outbound connection"; flow:to_server,established; http_uri; content:"/file/id=AQA"; content:"AAEA",within 4,distance 1; content:"rLhtgiZvmW8",distance 0; content:"&rt=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1671d64f146e97b3ce2a58514f99f91b83214af6f1c679b27f98aa277d909dbd/analysis/; classtype:trojan-activity; sid:22100; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Piroxcc variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/sedo.php"; http_client_body; content:"id=",depth 3; content:"&s5_uidx=",distance 0; content:"&os=",distance 0; content:"&s5=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/349C1AAD74E43C9814CB895B3001FAD5106FBE6450D30B727E9BB7070FDA0D7B/analysis/; classtype:trojan-activity; sid:22099; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Fepgul outbound connection"; flow:to_server,established; http_uri; content:"/SkypeClient.exe"; http_header; content:"skype.tom.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/CCCE38CDBE10DCEE205334E58C218B3816787EF80F86A1BA95E0BD719165EFF9/analysis/; classtype:trojan-activity; sid:22060; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/service.php?kind="; content:"pid=",distance 0; content:"prog=",distance 0; content:"addresses=",distance 0; content:"progkind=",distance 0; content:"wv=",distance 0; content:"ee=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/734CF749D5B31EF5AB97374E02B528E0072D86ACD143E69762A9141B08E4D069/analysis/; classtype:trojan-activity; sid:22059; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Prorat variant outbound connection"; flow:to_server,established; http_uri; content:"/mo3tazjordan/server.exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3CDE092BD99DF7AAD5A44697E199AF3A90C60DCD15CDA589E5BE75CA1D48B25E/analysis/; classtype:trojan-activity; sid:22054; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Trojan.Zeus P2P outbound communication"; flow:to_server,established; dsize:20; content:"|E5 AA C0 31|",depth 4; content:"|5B 74 08 4D 9B 39 C1|",within 7,distance 5; metadata:policy balanced-ips alert,policy security-ips drop; reference:url,www.abuse.ch/?p=3499; reference:url,www.virustotal.com/file/771571422FD4D88A439773D18951B5D83FD1E927CF2970EFD5CCAC97DBB3AC50/analysis/; classtype:trojan-activity; sid:22048; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|x86_64|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22034; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|i386|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22033; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.BamCompiled variant inbound updates"; flow:to_client,established; file_data; content:"<zombis>"; pcre:"/<zombis>\s*<JUNIPER-M3>.*?</JUNIPER-M3>\s*</zombis>/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21984; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.BamCompiled variant outbound connection"; flow:to_server,established; http_uri; content:"/Admin/FunctionsClient/"; pcre:"/\x2fAdmin\x2fFunctionsClient\x2f(check.txt|Select.php|Update.php)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21983; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi bot variant outbound connection user-agent"; flow:to_server,established; http_header; content:"Aldi Bot FTW! :D"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21912; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi variant outbound connection C&C checkin"; flow:to_server,established; http_uri; content:"gate.php?hwid="; content:"pc=",distance 0; content:"localip=",distance 0; content:"winver=",distance 0; pcre:"/hwid=[^\x0a\x26]+?\x26pc=[^\x0a\x26]+?\x26localip=[^\x0a\x26]+?\x26winver=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21911; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware user-agent"; flow:to_server,established; http_header; content:"Windows NT 6.1|3B| WOW64|3B| rv:9.0.1|3B| sv:2|3B| id:"; pcre:"/[1-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html; classtype:trojan-activity; sid:21910; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Sabpub outbound connection"; flow:to_server,established; http_uri; content:"/update.aspx"; http_header; content:"Accept-Encoding|3A 20|base64,gzip"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:21877; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Orsam variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/ping.php"; http_header; content:"WinHttp.WinHttpRequest"; pcre:"/User-Agent\x3a\x20[^\n]*?WinHttp\x2eWinHttpRequest.*?\n/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/792636c6d2114a93afb95dccc05fd2820fa236fc5d3d9d1f5a3db6ba80353087/analysis/; classtype:trojan-activity; sid:21852; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_uri; content:"/download.html",nocase; http_header; content:"User-Agent|3A 20|wmagents.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21761; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_header; content:"|0A|User-Agent|3A 20|tiehttp",fast_pattern,nocase; http_client_body; content:"Content-Disposition|3A 20|",nocase; content:"form-data|3B| name=|22|filename|22|",distance 0,nocase; content:"|0D 0A 0D 0A|",within 4; pkt_data; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21760; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_d/"; pcre:"/\/stat_d\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21758; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_svc/"; pcre:"/\/stat_svc\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21757; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_n/"; pcre:"/\/stat_n\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21756; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_u/"; pcre:"/\/stat_u\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21755; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Aluereon TDSS infection variant outbound connection"; flow:to_server,established; http_uri; content:".php?i=",fast_pattern; content:"&a=",distance 0; content:"&f=",distance 0; content:"&x64=",distance 0; content:"&os=",distance 0; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1cc3d8345af514e2ea0fb3a2abdd82c8c5567e5ddd934d5eb458cca3acea4b09/analysis/1332706994/; classtype:trojan-activity; sid:21638; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Ransom variant outbound connection"; flow:to_server,established; http_header; content:"Referer|3A| res|3A 2F 2F|"; content:"|3A 5C|",within 3,distance 1; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2ed70f0d0fed4fba04d576bc2a9a13541a95f4ecb5bdead07ca30d7b40a70d84/analysis/; classtype:trojan-activity; sid:21632; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Sinowal javascript delivery method"; flow:to_client,established; file_data; content:"(function(){function "; content:"window.navigator.userAgent.indexOf(|22|Windows NT 6.|22|",distance 0; content:"else setTimeout(",distance 0; content:",10)}",distance 0; content:"()})()|3B|",distance 0; pcre:"/\x28function\x28\x29\x7bfunction\x20([a-zA-Z0-9]+).*?else\x20setTimeout\x28\1\x2c10\x29\x7d\1\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,wepawet.cs.ucsb.edu/view.php?hash=03c2bae0e0a779cda0f3a2c8679a46ef&type=js; classtype:trojan-activity; sid:21631; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Georbot variant outbound connection"; flow:to_server,established; http_uri; content:".php?ver="; content:"&cam=",distance 0; content:"&p=bot123",distance 1; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf; classtype:trojan-activity; sid:21622; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper-23836 outbound connection"; flow:to_server,established; http_uri; content:"php?net=gnutella2&get=1&client=RAZA2."; http_header; content:"User-Agent|3A 20|Shareaza"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/77c5acc4209778042fe21829a6728815249026d459e7622cf62b113b2f76d553/analysis/; classtype:misc-activity; sid:21593; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/wsouth1.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/file/bdec740dcbda605694bfa2bc9f463bec4e401f331d1452a5437222cf53b9d5d0/analysis/; classtype:trojan-activity; sid:21565; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/jucheck.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21564; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/rtce0"; content:".exe",distance 0; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21563; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk=",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn variant outbound connection"; flow:to_server,established; http_uri; content:"/panda/?u="; pcre:"/\x2fpanda\x2f\x3fu\x3d[a-z0-9]{32}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21552; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Content-Length|3A 20|1000002"; http_client_body; content:"z=",depth 2; http_uri; pcre:"/\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21551; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Cutwail landing page connection"; flow:to_client,established; file_data; content:"<h1>WAIT PLEASE</h1>|0D 0A 20|<h3>Loading...</h3>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Cutwail_botnet; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2FCutwail; classtype:attempted-user; sid:21548; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?id="; content:"&traff=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c31f47dddc4d15dacecb47408248b4f12e2ad5c829299d7223eb36f7ecbc6db3/analysis/; classtype:trojan-activity; sid:21547; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound payload request"; flow:to_server,established; http_uri; content:".exe"; pkt_data; content:"HTTP/1.0"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:!"Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21538; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/UpdateInfo2.xml",fast_pattern; http_header; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21525; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNfY"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10077; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNBp"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10076; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALEir"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10075; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVee+"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10074; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVW0u"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10073; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7+1C"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10072; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/dT"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10071; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA73lo"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10070; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA78Ej"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10069; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7xSw"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10068; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA71DL"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10067; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCOoZ0r3G4BoF+sIAADJgAAAArAAAJgAAuru3"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10066; rev:8; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACeJY"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; classtype:trojan-activity; sid:10065; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC yarner.b smtp propagation detection"; flow:to_server,established; content:"From|3A|",nocase; content:"Trojaner-Info<webmaster@trojaner-info.de>",distance 0,nocase; content:"Subject|3A|",nocase; content:"Trojaner-Info Newsletter",distance 0,nocase; pcre:"/^From\x3A[^\r\n]*Trojaner-Info<webmaster@trojaner-info\x2Ede>/smi"; pcre:"/^Subject\x3A[^\r\n]*Trojaner-Info\sNewsletter/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop,service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-021912-4244-99&tabid=2; classtype:trojan-activity; sid:9329; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|x86_64|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:22034; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|i386|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:22033; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.BamCompiled variant inbound updates"; flow:to_client,established; file_data; content:"<zombis>"; pcre:"/<zombis>\s*<JUNIPER-M3>.*?</JUNIPER-M3>\s*</zombis>/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21984; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.BamCompiled variant outbound connection"; flow:to_server,established; http_uri; content:"/Admin/FunctionsClient/"; pcre:"/\x2fAdmin\x2fFunctionsClient\x2f(check.txt|Select.php|Update.php)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21983; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi bot variant outbound connection user-agent"; flow:to_server,established; http_header; content:"Aldi Bot FTW! :D"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21912; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi variant outbound connection C&C checkin"; flow:to_server,established; http_uri; content:"gate.php?hwid="; content:"pc=",distance 0; content:"localip=",distance 0; content:"winver=",distance 0; pcre:"/hwid=[^\x0a\x26]+?\x26pc=[^\x0a\x26]+?\x26localip=[^\x0a\x26]+?\x26winver=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21911; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware user-agent"; flow:to_server,established; http_header; content:"Windows NT 6.1|3B| WOW64|3B| rv:9.0.1|3B| sv:2|3B| id:"; pcre:"/[1-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html; classtype:trojan-activity; sid:21910; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Sabpub outbound connection"; flow:to_server,established; http_uri; content:"/update.aspx"; http_header; content:"Accept-Encoding|3A 20|base64,gzip"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:21877; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Orsam variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/ping.php"; http_header; content:"WinHttp.WinHttpRequest"; pcre:"/User-Agent\x3a\x20[^\n]*?WinHttp\x2eWinHttpRequest.*?\n/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/792636c6d2114a93afb95dccc05fd2820fa236fc5d3d9d1f5a3db6ba80353087/analysis/; classtype:trojan-activity; sid:21852; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_uri; content:"/download.html",nocase; http_header; content:"User-Agent|3A 20|wmagents.exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21761; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_header; content:"|0A|User-Agent|3A 20|tiehttp",fast_pattern,nocase; http_client_body; content:"Content-Disposition|3A 20|",nocase; content:"form-data|3B| name=|22|filename|22|",distance 0,nocase; content:"|0D 0A 0D 0A|",within 4; pkt_data; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21760; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_d/"; pcre:"/\/stat_d\/$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21758; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_svc/"; pcre:"/\/stat_svc\/$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21757; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_n/"; pcre:"/\/stat_n\/$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21756; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_u/"; pcre:"/\/stat_u\/$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21755; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Aluereon TDSS infection variant outbound connection"; flow:to_server,established; http_uri; content:".php?i=",fast_pattern; content:"&a=",distance 0; content:"&f=",distance 0; content:"&x64=",distance 0; content:"&os=",distance 0; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1cc3d8345af514e2ea0fb3a2abdd82c8c5567e5ddd934d5eb458cca3acea4b09/analysis/1332706994/; classtype:trojan-activity; sid:21638; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Ransom variant outbound connection"; flow:to_server,established; http_header; content:"Referer|3A| res|3A 2F 2F|"; content:"|3A 5C|",within 3,distance 1; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2ed70f0d0fed4fba04d576bc2a9a13541a95f4ecb5bdead07ca30d7b40a70d84/analysis/; classtype:trojan-activity; sid:21632; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Sinowal javascript delivery method"; flow:to_client,established; file_data; content:"(function(){function "; content:"window.navigator.userAgent.indexOf(|22|Windows NT 6.|22|",distance 0; content:"else setTimeout(",distance 0; content:",10)}",distance 0; content:"()})()|3B|",distance 0; pcre:"/\x28function\x28\x29\x7bfunction\x20([a-zA-Z0-9]+).*?else\x20setTimeout\x28\1\x2c10\x29\x7d\1\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,wepawet.cs.ucsb.edu/view.php?hash=03c2bae0e0a779cda0f3a2c8679a46ef&type=js; classtype:trojan-activity; sid:21631; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Georbot variant outbound connection"; flow:to_server,established; http_uri; content:".php?ver="; content:"&cam=",distance 0; content:"&p=bot123",distance 1; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf; classtype:trojan-activity; sid:21622; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper-23836 outbound connection"; flow:to_server,established; http_uri; content:"php?net=gnutella2&get=1&client=RAZA2."; http_header; content:"User-Agent|3A 20|Shareaza"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/77c5acc4209778042fe21829a6728815249026d459e7622cf62b113b2f76d553/analysis/; classtype:misc-activity; sid:21593; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/wsouth1.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/file/bdec740dcbda605694bfa2bc9f463bec4e401f331d1452a5437222cf53b9d5d0/analysis/; classtype:trojan-activity; sid:21565; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/jucheck.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21564; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/rtce0"; content:".exe",distance 0; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21563; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk=",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn variant outbound connection"; flow:to_server,established; http_uri; content:"/panda/?u="; pcre:"/\x2fpanda\x2f\x3fu\x3d[a-z0-9]{32}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21552; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Content-Length|3A 20|1000002"; http_client_body; content:"z=",depth 2; http_uri; pcre:"/\/$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21551; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Cutwail landing page connection"; flow:to_client,established; file_data; content:"<h1>WAIT PLEASE</h1>|0D 0A 20|<h3>Loading...</h3>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,en.wikipedia.org/wiki/Cutwail_botnet; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2FCutwail; classtype:attempted-user; sid:21548; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?id="; content:"&traff=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/c31f47dddc4d15dacecb47408248b4f12e2ad5c829299d7223eb36f7ecbc6db3/analysis/; classtype:trojan-activity; sid:21547; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound payload request"; flow:to_server,established; http_uri; content:".exe"; pkt_data; content:"HTTP/1.0"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:!"Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21538; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/UpdateInfo2.xml",fast_pattern; http_header; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21525; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNfY"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10077; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNBp"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10076; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALEir"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10075; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVee+"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10074; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVW0u"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10073; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7+1C"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10072; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/dT"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10071; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA73lo"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10070; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA78Ej"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10069; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7xSw"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10068; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA71DL"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10067; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCOoZ0r3G4BoF+sIAADJgAAAArAAAJgAAuru3"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10066; rev:8; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACeJY"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; classtype:trojan-activity; sid:10065; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC yarner.b smtp propagation detection"; flow:to_server,established; content:"From|3A|",nocase; content:"Trojaner-Info<webmaster@trojaner-info.de>",distance 0,nocase; content:"Subject|3A|",nocase; content:"Trojaner-Info Newsletter",distance 0,nocase; pcre:"/^From\x3A[^\r\n]*Trojaner-Info<webmaster@trojaner-info\x2Ede>/smi"; pcre:"/^Subject\x3A[^\r\n]*Trojaner-Info\sNewsletter/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop; service:smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-021912-4244-99&tabid=2; classtype:trojan-activity; sid:9329; rev:10; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 99 ( msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19057; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; http_uri; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; http_uri; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:7; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 143 ( msg:"MALWARE-CNC Win.Trojan.Jzzer.A variant outbound connection"; flow:to_server,established; content:"MSG 5 N 130|0D 0A|",depth 13; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=279e27c133e0375b42a640dae66eecf5e42a1ec001c68eb68bcbdf36c3cbf09e-1286668083; classtype:trojan-activity; sid:19038; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.hacktool variant outbound connection"; flow:to_server,established; http_uri; content:"/update",nocase; http_header; content:"Mozilla/4.75",fast_pattern,nocase; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f; classtype:trojan-activity; sid:16496; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15565; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RSPlug Win.Trojan.server connection"; flow:to_server,established; http_header; content:"GET /cgi-bin/generator.pl HTTP/1.0|0D 0A|User-Agent|3A| "; content:"1|3B|7017|3B|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:trojan-activity; sid:15563; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/?ini="; http_client_body; content:"data=",depth 5; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9fd42ddde9f50512f9611da187232bb17b8ded18e2ba5833203e025281cc575f/analysis/; classtype:trojan-activity; sid:21441; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Murofet variant outbound connection"; flow:to_server,established; http_uri; content:".php?w=",nocase; content:"&n=",distance 0; pcre:"/\.php\x3fw\x3d\d+\x26n\x3d\d+/"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/aeab4913c8bb1f7f9e40258c323878969b439cf411bb2acab991bba975ada54e/analysis/; classtype:trojan-activity; sid:21440; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Startpage variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/get_config.cgi"; http_header; content:"x-company|3A 20|soft2pcfr"; content:"User-Agent|3A 20|EoAgence",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c96a0bbedc16bc05904b3d60b63976825efa23493a01410c7c8d0cad7b1551c7/analysis/; classtype:trojan-activity; sid:21436; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Mentor inbound connection - post infection"; flow:to_client,established; flowbits:isset,trojan.mentor; file_data; content:"[UPDATE]|0D 0A|VER = "; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21435; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Mentor outbound connection"; flow:to_server,established; http_uri; content:"/updates.ini"; http_header; content:!"Referer"; flowbits:set,trojan.mentor; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21434; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.W32.BeeOne runtime traffic detected"; flow:to_client,established; file_data; content:"cbs.firstcitiz"; content:"ibbpowerlink.com",distance 0; content:"cashmanager.mizuhoe-treasurer.com",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1f14a55b06447c5e8b4c7f4153314daf295aaf413d8c645263273574b755e71f/analysis/; classtype:trojan-activity; sid:21430; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Generic-24 outbound connection"; flow:to_server,established; http_uri; content:".php?email="; content:"&lici=",distance 0; content:"&ver=",distance 0; http_header; content:!"User-Agent|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/633b96e0c60187b5c583686e75eddabe1cb635d46b794d335ceb81a3944a0806/analysis/; classtype:trojan-activity; sid:21428; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/update.aspx",fast_pattern; http_header; content:"Accept-Language|3A 20|zh-cn|0D 0A|"; http_client_body; content:"a=",depth 2; content:"&v=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21427; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:"/tadonot.php"; http_header; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_client_body; content:"pcnome=",depth 7,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0f1f5002b63f0fbd1014951ee762084fd34de66e8e867e63e63712f4cba8f303/analysis/; classtype:trojan-activity; sid:21426; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.FareIt outbound connection"; flow:to_server,established; http_client_body; content:"CRYPTED0",depth 8; http_method; content:"POST"; http_uri; content:".php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=659ea4753a64cce6ac15e78802a21c5ba75596ff5a9d112295ba3484b1033064-1305081015; reference:url,www.virustotal.com/file/f159e0e7ae312472e09742d8f9d7a45e655a943cf2ec3195f56c6af15df1039a/analysis/; classtype:trojan-activity; sid:21418; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze outbound connection - base64 encoded"; flow:to_server,established; http_header; content:"Accept-Language|3A 20|en-US|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible"; content:!"Referer"; pkt_data; pkt_data; content:"GET /",depth 5; base64_decode:relative; base64_data; content:"cl|7C|1.6|7C|"; content:"|7C|161",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:21318; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/hhh/index.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21313; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_uri; content:"/send/log.php"; http_client_body; content:"id="; content:"link=",distance 0; content:"password=",distance 0; content:"debug=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21311; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye variant outbound connectivity check"; flow:to_server,established; http_uri; content:"/ib2/"; http_header; content:"Referer|3A 20|http|3A 2F 2F|disney.com|2F|index.html"; http_uri; pcre:"/\x2fib2\x2f$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/10b9e42a99890e672c8d3da3bdbe375d681ec9c21a7f7e165041186614d51584/analysis/; classtype:trojan-activity; sid:21306; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Cycbot variant outbound connection"; flow:to_server,established; http_uri; content:"?sv=",fast_pattern; content:"&tq=",distance 0; http_header; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_uri; pcre:"/\x3fsv\x3d\d{1,3}\x26tq\x3d/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21269; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/redirect.php?id="; content:"&u=",distance 0; content:"&cv=",distance 0; content:"&sv=",distance 0; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/735fd8ce66e6f0e412f18242d37c12fb38f26f471051eac2f0fe2df89d0e4966/analysis/; classtype:trojan-activity; sid:21242; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater initial outbound connection"; flow:to_server,established; http_uri; content:"/search?qu="; http_header; content:"User-Agent|3A 20|Firefox|2F|2.0.0.2|0D 0A|"; http_cookie; content:"PREF=ID="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21241; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/search"; content:"?h1=",distance 0; content:"&h2=",distance 0; content:"&h3=",distance 0; content:"&h4=",distance 0; http_header; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21240; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/logo.png?"; content:"&tq=",distance 0; content:"gSoSEU",distance 0; pcre:"/logo\.png\x3f(sv\x3d\d{1,3})?\x26tq\x3d.*?SoSEU/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21239; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Spyeye-207 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/rec.php",nocase; http_client_body; content:"data="; http_uri; pcre:"/rec\.php$/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7595cde4ead4c3ad0015a2797fd5f9e6217bad2bf6e2d78576c924978c83b0cc-1323385736; classtype:trojan-activity; sid:20927; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye-206 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:!"vcs="; http_uri; content:"/gate.php"; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,spyeyetracker.abuse.ch; classtype:trojan-activity; sid:20763; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacOS.Flashback.A outbound connection"; flow:to_server,established; http_uri; content:"/counter/",nocase; http_header; content:"User|2D|Agent|3A| ",nocase; content:"install|20 28|unknown version|29|",within 64,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=8061839dfd1167b115865120728c806791f40ee422760866f303607dbd8a9dda-1319210978; reference:url,www.virustotal.com/file-scan/report.html?id=baa14d6bfbff020007c330aa7872e89337fd0036ebfdfa4b4f1d61565c2b0f96-1318536797; classtype:trojan-activity; sid:20762; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gbot.oce outbound connection"; flow:to_server,established; http_uri; content:"index.html?tq="; http_header; content:"User-Agent|3A 20|mozilla/2.0|0D 0A|",fast_pattern; content:"Content-Length|3A 20|0|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=40324644d689f5cef21e9035d6b482079a94e540e18a93352acc32d48e9ba64e-1316072758; classtype:trojan-activity; sid:20759; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|hello|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=9e75c7e39e9e740fd1579d73d457db319f277345022c0ab46c77d480a6f93fd8-1316968091; classtype:trojan-activity; sid:20756; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Krap outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|id=",nocase; content:"tick=",distance 0,nocase; content:"ver=",distance 0,nocase; content:"smtp=",distance 0,nocase; content:"task=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=18bf1732e9f22502b1b4b1eeb7ebde8249fb7551963a9e1e642efd1add5fde15-1293460542; classtype:trojan-activity; sid:20755; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Virut-3 outbound connection"; flow:to_server,established; http_uri; content:"default.php?qry="; content:"tgt=",distance 0; content:"searchKey=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=67a4a0ad409127cee7d4b384b500b6e88ca6b8ec95c8c1132adb8834604f4ad2-1313199983; classtype:trojan-activity; sid:20754; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.hacktool variant outbound connection"; flow:to_server,established; http_uri; content:"/update",nocase; http_header; content:"Mozilla/4.75",fast_pattern,nocase; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f; classtype:trojan-activity; sid:16496; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15565; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RSPlug Win.Trojan.server connection"; flow:to_server,established; http_header; content:"GET /cgi-bin/generator.pl HTTP/1.0|0D 0A|User-Agent|3A| "; content:"1|3B|7017|3B|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:trojan-activity; sid:15563; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/?ini="; http_client_body; content:"data=",depth 5; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/9fd42ddde9f50512f9611da187232bb17b8ded18e2ba5833203e025281cc575f/analysis/; classtype:trojan-activity; sid:21441; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Murofet variant outbound connection"; flow:to_server,established; http_uri; content:".php?w=",nocase; content:"&n=",distance 0; pcre:"/\.php\x3fw\x3d\d+\x26n\x3d\d+/"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/aeab4913c8bb1f7f9e40258c323878969b439cf411bb2acab991bba975ada54e/analysis/; classtype:trojan-activity; sid:21440; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Startpage variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/get_config.cgi"; http_header; content:"x-company|3A 20|soft2pcfr"; content:"User-Agent|3A 20|EoAgence",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/c96a0bbedc16bc05904b3d60b63976825efa23493a01410c7c8d0cad7b1551c7/analysis/; classtype:trojan-activity; sid:21436; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Mentor inbound connection - post infection"; flow:to_client,established; flowbits:isset,trojan.mentor; file_data; content:"[UPDATE]|0D 0A|VER = "; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21435; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Mentor outbound connection"; flow:to_server,established; http_uri; content:"/updates.ini"; http_header; content:!"Referer"; flowbits:set,trojan.mentor; flowbits:noalert; service:http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21434; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.W32.BeeOne runtime traffic detected"; flow:to_client,established; file_data; content:"cbs.firstcitiz"; content:"ibbpowerlink.com",distance 0; content:"cashmanager.mizuhoe-treasurer.com",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1f14a55b06447c5e8b4c7f4153314daf295aaf413d8c645263273574b755e71f/analysis/; classtype:trojan-activity; sid:21430; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Generic-24 outbound connection"; flow:to_server,established; http_uri; content:".php?email="; content:"&lici=",distance 0; content:"&ver=",distance 0; http_header; content:!"User-Agent|3A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/633b96e0c60187b5c583686e75eddabe1cb635d46b794d335ceb81a3944a0806/analysis/; classtype:trojan-activity; sid:21428; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/update.aspx",fast_pattern; http_header; content:"Accept-Language|3A 20|zh-cn|0D 0A|"; http_client_body; content:"a=",depth 2; content:"&v=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:21427; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:"/tadonot.php"; http_header; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_client_body; content:"pcnome=",depth 7,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/0f1f5002b63f0fbd1014951ee762084fd34de66e8e867e63e63712f4cba8f303/analysis/; classtype:trojan-activity; sid:21426; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.FareIt outbound connection"; flow:to_server,established; http_client_body; content:"CRYPTED0",depth 8; http_method; content:"POST"; http_uri; content:".php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=659ea4753a64cce6ac15e78802a21c5ba75596ff5a9d112295ba3484b1033064-1305081015; reference:url,www.virustotal.com/file/f159e0e7ae312472e09742d8f9d7a45e655a943cf2ec3195f56c6af15df1039a/analysis/; classtype:trojan-activity; sid:21418; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze outbound connection - base64 encoded"; flow:to_server,established; http_header; content:"Accept-Language|3A 20|en-US|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible"; content:!"Referer"; pkt_data; pkt_data; content:"GET /",depth 5; base64_decode:relative; base64_data; content:"cl|7C|1.6|7C|"; content:"|7C|161",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:21318; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/hhh/index.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21313; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_uri; content:"/send/log.php"; http_client_body; content:"id="; content:"link=",distance 0; content:"password=",distance 0; content:"debug=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21311; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye variant outbound connectivity check"; flow:to_server,established; http_uri; content:"/ib2/"; http_header; content:"Referer|3A 20|http|3A 2F 2F|disney.com|2F|index.html"; http_uri; pcre:"/\x2fib2\x2f$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/10b9e42a99890e672c8d3da3bdbe375d681ec9c21a7f7e165041186614d51584/analysis/; classtype:trojan-activity; sid:21306; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Cycbot variant outbound connection"; flow:to_server,established; http_uri; content:"?sv=",fast_pattern; content:"&tq=",distance 0; http_header; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_uri; pcre:"/\x3fsv\x3d\d{1,3}\x26tq\x3d/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21269; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/redirect.php?id="; content:"&u=",distance 0; content:"&cv=",distance 0; content:"&sv=",distance 0; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/735fd8ce66e6f0e412f18242d37c12fb38f26f471051eac2f0fe2df89d0e4966/analysis/; classtype:trojan-activity; sid:21242; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater initial outbound connection"; flow:to_server,established; http_uri; content:"/search?qu="; http_header; content:"User-Agent|3A 20|Firefox|2F|2.0.0.2|0D 0A|"; http_cookie; content:"PREF=ID="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21241; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/search"; content:"?h1=",distance 0; content:"&h2=",distance 0; content:"&h3=",distance 0; content:"&h4=",distance 0; http_header; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21240; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/logo.png?"; content:"&tq=",distance 0; content:"gSoSEU",distance 0; pcre:"/logo\.png\x3f(sv\x3d\d{1,3})?\x26tq\x3d.*?SoSEU/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21239; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Spyeye-207 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/rec.php",nocase; http_client_body; content:"data="; http_uri; pcre:"/rec\.php$/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=7595cde4ead4c3ad0015a2797fd5f9e6217bad2bf6e2d78576c924978c83b0cc-1323385736; classtype:trojan-activity; sid:20927; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye-206 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:!"vcs="; http_uri; content:"/gate.php"; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,spyeyetracker.abuse.ch; classtype:trojan-activity; sid:20763; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacOS.Flashback.A outbound connection"; flow:to_server,established; http_uri; content:"/counter/",nocase; http_header; content:"User|2D|Agent|3A| ",nocase; content:"install|20 28|unknown version|29|",within 64,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=8061839dfd1167b115865120728c806791f40ee422760866f303607dbd8a9dda-1319210978; reference:url,www.virustotal.com/file-scan/report.html?id=baa14d6bfbff020007c330aa7872e89337fd0036ebfdfa4b4f1d61565c2b0f96-1318536797; classtype:trojan-activity; sid:20762; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gbot.oce outbound connection"; flow:to_server,established; http_uri; content:"index.html?tq="; http_header; content:"User-Agent|3A 20|mozilla/2.0|0D 0A|",fast_pattern; content:"Content-Length|3A 20|0|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=40324644d689f5cef21e9035d6b482079a94e540e18a93352acc32d48e9ba64e-1316072758; classtype:trojan-activity; sid:20759; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|hello|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=9e75c7e39e9e740fd1579d73d457db319f277345022c0ab46c77d480a6f93fd8-1316968091; classtype:trojan-activity; sid:20756; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Krap outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|id=",nocase; content:"tick=",distance 0,nocase; content:"ver=",distance 0,nocase; content:"smtp=",distance 0,nocase; content:"task=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=18bf1732e9f22502b1b4b1eeb7ebde8249fb7551963a9e1e642efd1add5fde15-1293460542; classtype:trojan-activity; sid:20755; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Virut-3 outbound connection"; flow:to_server,established; http_uri; content:"default.php?qry="; content:"tgt=",distance 0; content:"searchKey=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=67a4a0ad409127cee7d4b384b500b6e88ca6b8ec95c8c1132adb8834604f4ad2-1313199983; classtype:trojan-activity; sid:20754; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 22292 ( msg:"MALWARE-CNC Sirefef initial C&C connection outbound connection"; flow:to_server,established; content:"|E5 AA C0 31 A9 BF DC CB 31 5B|",depth 10; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=097494387732a6d04a1ecced4b99b7ea8c9e4b3a411f1ec40560c6ba1be9dda8-1316018109; classtype:trojan-activity; sid:20527; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"query=",nocase; content:"data=",distance 0,nocase; content:"Computer Name=",distance 0,nocase; content:"Admin=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=a33c348c55ba2bddce89a7c51cac117a; classtype:trojan-activity; sid:20281; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"auth=",nocase; content:"version=",distance 0,nocase; content:"port25=",distance 0,nocase; content:"architecture=",distance 0,nocase; content:"rights=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=a33c348c55ba2bddce89a7c51cac117a; classtype:trojan-activity; sid:20280; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cycbot outbound connection"; flow:to_server,established; http_uri; content:"&tq=g"; pcre:"/\x2e(jpg|png|gif)\x3fs?v.*?&tq=g[A-Z0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=01fabe4ad1552f4d61b614a319c90b33a6b6b48c5da63965924b687e3f251ca8-1316273623; classtype:trojan-activity; sid:20232; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jinchodz variant outbound connection"; flow:to_server,established; http_uri; content:".exe",nocase; http_header; content:"User-Agent|3A 20|Agent"; http_uri; pcre:"/^\/\d\x2eexe/i"; http_header; pcre:"/User-Agent\x3a\x20Agent\d{5,9}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=59c54a224ccff90e4e2f89a5ca5d60c974d00e7a5d2b738abbeba6542eecfc0d-1316515617; classtype:trojan-activity; sid:20229; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Hupigon variant outbound connection"; flow:to_server,established; http_uri; content:"/ip.txt",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|"; pkt_data; content:!"Referer"; http_header; pcre:"/^User-Agent\x3a\x20[A-Z]{9}\x0d\x0a/m"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d72cf20f79da69781b0a7decdd9dfb1ffa2d62f75576861327eb0efd5da228d9-1314752283; classtype:trojan-activity; sid:20228; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Injector outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Opera|5C|9.64|0A|"; http_uri; content:"bb.php?v="; content:"id=",distance 0; content:"b=",distance 0; content:"tm=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086; classtype:trojan-activity; sid:20221; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/gs.php",nocase; http_header; content:"Synapse",nocase; content:"Content-Length|3A| 12",distance 0,nocase; http_client_body; content:"id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=07d2e3f1eaaeffefa493a9e2b81c8a92bc9ac29409920a0b9f02bf6a07f1dfe6-1316107850; reference:url,www.virustotal.com/file-scan/report.html?id=5ed1654c72a0d6f274f61e3b3c61b247463533c7136f4e9d8dd63d408ca7f5b0-1315791284; reference:url,www.virustotal.com/file-scan/report.html?id=eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8-1316416732; classtype:trojan-activity; sid:20213; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Taidoor outbound connection"; flow:to_server,established; content:".php?id=0",nocase; http_uri; content:"111D30",fast_pattern,nocase; pcre:"/^\/[a-z]{5}\.php\?id=0\d{5}111D30[a-zA-Z0-9]{6}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0611; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; reference:url,www.virustotal.com/file-scan/report.html?id=145d64f38564eafa4fb5da0722c0e7348168024d32ada5cfb37a49f5811cb6b8-1315612892; classtype:trojan-activity; sid:20204; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Revir-1 outbound connection"; flow:to_server,established; http_uri; content:"/cdmax",nocase; pcre:"/^\/cdmax$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=b1e52289977e72ef905e07cbec8a7fbb72706fd2450aadb90acaf5377c0be8ef-1317048445; classtype:trojan-activity; sid:20202; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Yakes.cbi outbound connection"; flow:to_server,established; http_uri; content:"/gate.php?v=",nocase; content:"|26|b|3D|",distance 0,nocase; content:"|26|r|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5deaa7b46f1820c7776339bf975b9b8ac5fa50ceb36967989c06b03a3e980e33-1314937203; classtype:trojan-activity; sid:20081; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Briewots.A runtime traffic detected"; flow:to_server,established; http_uri; content:"/geo/countrybyip.php",nocase; http_header; content:"User-Agent|3A| User Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f8433bdde30354db80ebce58b2c866ea; classtype:trojan-activity; sid:20011; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Waledac outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:".png"; pkt_data; content:"|0A|a=",nocase; content:"&b=AAAAAA",distance 0,fast_pattern,nocase; http_uri; pcre:"/\x2F[a-z]+\x2epng/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=6075bdd818db6d78a0ecd889383e09c61900c1735a00c5948dde4e27d17a4c65-1245685985; classtype:trojan-activity; sid:19995; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.DelfInject.gen!X outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/account?mode=auth",nocase; http_client_body; content:"user=",nocase; content:"pss=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=90dab78d3ce340823d736c11b7b6e20b7566d7e545efdac8527c6786e86d3506-1310995856; classtype:trojan-activity; sid:19912; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bobax botnet variant outbound connection"; flow:to_server,established; http_uri; content:"&wr="; content:"/reg?"; pcre:"/\x26tv\x3d\d\.\d\.\d{4}\.\d{4}/smi"; pcre:"/u=[\dA-Fa-f]{8}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=89f6a4c3973f54c2bee9f50f62428278; classtype:trojan-activity; sid:16489; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Tracur variant outbound connection"; flow:to_server,established; http_uri; content:"fQ_fQ_fQ_fQ"; pcre:"/mJKV[^\s\x0D\x0A]+1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9a0b76500490d528b60e6a5662bf2d41; classtype:trojan-activity; sid:19801; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"query=",nocase; content:"data=",distance 0,nocase; content:"Computer Name=",distance 0,nocase; content:"Admin=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=a33c348c55ba2bddce89a7c51cac117a; classtype:trojan-activity; sid:20281; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"auth=",nocase; content:"version=",distance 0,nocase; content:"port25=",distance 0,nocase; content:"architecture=",distance 0,nocase; content:"rights=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=a33c348c55ba2bddce89a7c51cac117a; classtype:trojan-activity; sid:20280; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cycbot outbound connection"; flow:to_server,established; http_uri; content:"&tq=g"; pcre:"/\x2e(jpg|png|gif)\x3fs?v.*?&tq=g[A-Z0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=01fabe4ad1552f4d61b614a319c90b33a6b6b48c5da63965924b687e3f251ca8-1316273623; classtype:trojan-activity; sid:20232; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jinchodz variant outbound connection"; flow:to_server,established; http_uri; content:".exe",nocase; http_header; content:"User-Agent|3A 20|Agent"; http_uri; pcre:"/^\/\d\x2eexe/i"; http_header; pcre:"/User-Agent\x3a\x20Agent\d{5,9}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=59c54a224ccff90e4e2f89a5ca5d60c974d00e7a5d2b738abbeba6542eecfc0d-1316515617; classtype:trojan-activity; sid:20229; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Hupigon variant outbound connection"; flow:to_server,established; http_uri; content:"/ip.txt",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|"; pkt_data; content:!"Referer"; http_header; pcre:"/^User-Agent\x3a\x20[A-Z]{9}\x0d\x0a/m"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d72cf20f79da69781b0a7decdd9dfb1ffa2d62f75576861327eb0efd5da228d9-1314752283; classtype:trojan-activity; sid:20228; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Injector outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Opera|5C|9.64|0A|"; http_uri; content:"bb.php?v="; content:"id=",distance 0; content:"b=",distance 0; content:"tm=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086; classtype:trojan-activity; sid:20221; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/gs.php",nocase; http_header; content:"Synapse",nocase; content:"Content-Length|3A| 12",distance 0,nocase; http_client_body; content:"id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=07d2e3f1eaaeffefa493a9e2b81c8a92bc9ac29409920a0b9f02bf6a07f1dfe6-1316107850; reference:url,www.virustotal.com/file-scan/report.html?id=5ed1654c72a0d6f274f61e3b3c61b247463533c7136f4e9d8dd63d408ca7f5b0-1315791284; reference:url,www.virustotal.com/file-scan/report.html?id=eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8-1316416732; classtype:trojan-activity; sid:20213; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Taidoor outbound connection"; flow:to_server,established; content:".php?id=0",nocase; http_uri; content:"111D30",fast_pattern,nocase; pcre:"/^\/[a-z]{5}\.php\?id=0\d{5}111D30[a-zA-Z0-9]{6}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0611; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; reference:url,www.virustotal.com/file-scan/report.html?id=145d64f38564eafa4fb5da0722c0e7348168024d32ada5cfb37a49f5811cb6b8-1315612892; classtype:trojan-activity; sid:20204; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Revir-1 outbound connection"; flow:to_server,established; http_uri; content:"/cdmax",nocase; pcre:"/^\/cdmax$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=b1e52289977e72ef905e07cbec8a7fbb72706fd2450aadb90acaf5377c0be8ef-1317048445; classtype:trojan-activity; sid:20202; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Yakes.cbi outbound connection"; flow:to_server,established; http_uri; content:"/gate.php?v=",nocase; content:"|26|b|3D|",distance 0,nocase; content:"|26|r|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=5deaa7b46f1820c7776339bf975b9b8ac5fa50ceb36967989c06b03a3e980e33-1314937203; classtype:trojan-activity; sid:20081; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Briewots.A runtime traffic detected"; flow:to_server,established; http_uri; content:"/geo/countrybyip.php",nocase; http_header; content:"User-Agent|3A| User Agent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=f8433bdde30354db80ebce58b2c866ea; classtype:trojan-activity; sid:20011; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Waledac outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:".png"; pkt_data; content:"|0A|a=",nocase; content:"&b=AAAAAA",distance 0,fast_pattern,nocase; http_uri; pcre:"/\x2F[a-z]+\x2epng/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=6075bdd818db6d78a0ecd889383e09c61900c1735a00c5948dde4e27d17a4c65-1245685985; classtype:trojan-activity; sid:19995; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.DelfInject.gen!X outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/account?mode=auth",nocase; http_client_body; content:"user=",nocase; content:"pss=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=90dab78d3ce340823d736c11b7b6e20b7566d7e545efdac8527c6786e86d3506-1310995856; classtype:trojan-activity; sid:19912; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bobax botnet variant outbound connection"; flow:to_server,established; http_uri; content:"&wr="; content:"/reg?"; pcre:"/\x26tv\x3d\d\.\d\.\d{4}\.\d{4}/smi"; pcre:"/u=[\dA-Fa-f]{8}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatexpert.com/report.aspx?md5=89f6a4c3973f54c2bee9f50f62428278; classtype:trojan-activity; sid:16489; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Tracur variant outbound connection"; flow:to_server,established; http_uri; content:"fQ_fQ_fQ_fQ"; pcre:"/mJKV[^\s\x0D\x0A]+1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=9a0b76500490d528b60e6a5662bf2d41; classtype:trojan-activity; sid:19801; rev:4; )
 alert udp $HOME_NET any -> $EXTERNAL_NET 9023 ( msg:"MALWARE-CNC Win.Trojan.Yoddos.A outbound connection"; dsize:112; content:"|9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity; sid:19771; rev:5; )
 alert udp $HOME_NET any -> $EXTERNAL_NET 9023 ( msg:"MALWARE-CNC Win.Trojan.Yoddos.A outbound connection"; dsize:210; content:"|EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity; sid:19770; rev:5; )
 alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Yoddos.A outbound indicator"; itype:8; icode:0; content:"YYYYYYYYYYYYYYYYYYYYYYYYYYYY"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity; sid:19769; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.BXF outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/aviso_c1.php",fast_pattern; http_client_body; content:"rotina|3D|",nocase; content:"maquina|3D|",distance 0,nocase; content:"instalado|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=14ff9539ab76ab0f555dc4664c260709a576eb49fdb625784ee2e3ff0b1bfe07-1312898593; classtype:trojan-activity; sid:19765; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ftpharvxqq.A outbound connection"; flow:to_server,established; http_uri; content:"/hole.php"; http_client_body; content:"num=",nocase; content:"&buffer=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=595eea79c7a5e3c26650e9a1cbf780bf; classtype:trojan-activity; sid:19761; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.BXF outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/aviso_c1.php",fast_pattern; http_client_body; content:"rotina|3D|",nocase; content:"maquina|3D|",distance 0,nocase; content:"instalado|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=14ff9539ab76ab0f555dc4664c260709a576eb49fdb625784ee2e3ff0b1bfe07-1312898593; classtype:trojan-activity; sid:19765; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ftpharvxqq.A outbound connection"; flow:to_server,established; http_uri; content:"/hole.php"; http_client_body; content:"num=",nocase; content:"&buffer=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=595eea79c7a5e3c26650e9a1cbf780bf; classtype:trojan-activity; sid:19761; rev:5; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Idicaf.B outbound connection"; flow:to_server,established; dsize:732; content:"F335|00 00 00 00|",depth 8,offset 16; content:"Service|20|Pack",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=06f65e782ca9a306f81dc26265ea25a1fe820d6333fbdd64004f60d599601513-1312545424; classtype:trojan-activity; sid:19732; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkwebot.A outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?uid=",nocase; content:"&ver=",nocase; content:"&traff=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=819550132c76f9ccaa51e87a332f0bace159ac47dc45932afd517e74ba692ed5-1311881202; classtype:trojan-activity; sid:19731; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KukuBot.A outbound connection"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; content:"|0A|User|2D|Agent|3A 20|KUKU v",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d9c46ecfc91366f43bf1a8e0172465fb3918cf3cf9339de82d47f5d8b1c84a75-1311886018; classtype:trojan-activity; sid:19730; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pherbot.A outbound connection"; flow:to_server,established; http_uri; content:"bot.php?hwid="; content:"&pcname=",distance 0,nocase; content:"&antwort=",distance 5,nocase; content:"&os=",distance 5,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=40e7e0697fc7ae87d98497cbef5a4891f9d98eb36b609ce18f8b871a41168490-1311358921; classtype:trojan-activity; sid:19723; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poshtroper.A outbound connection"; flow:to_server,established; http_uri; content:"/multireport/shop.php?fol=",nocase; content:"&ac=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=960e08967210caa1cf7587c7a25673f4fb611dbe575f0d437ba0b764b97e1461-1311016826; classtype:trojan-activity; sid:19722; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader W32.Genome.gen outbound connection"; flow:to_server,established; http_uri; content:"php?praquem=",nocase; content:"titulo=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=9b4c0118c802c3fc79c90764e9bf7c70e7efb8f04726785eb4f7f75f9785e61b-1307526633; classtype:trojan-activity; sid:19712; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|IE"; http_uri; content:"type|3D|stats",nocase; content:"affid|3D|508"; content:"subid|3D|new02",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=1e92508de36f878dceb369121364bd3d; classtype:trojan-activity; sid:19711; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.cer outbound connection"; flow:to_server,established; http_uri; content:"/com_plugin.php",nocase; http_client_body; content:"subject|3D|",nocase; content:"|26|message|3D|",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0adcc846220d1fbcbba69929f48ce928650228e6216d3211b9a116111154f9d-1307493565; classtype:trojan-activity; sid:19706; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?dwId=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19705; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?inf=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; http_uri; pcre:"/\?inf\=[0-9a-f]{8}\x2Ex\d{2}\x2E\d{8}\x2E/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19704; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Dusta.br outbound connnection"; flow:to_server,established; http_uri; content:"/funtionsjs",nocase; http_header; content:"User-Agent|3A 20|vb|20|wininet|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2083e1fca5aedbf9e496596933f92c62b532d01cb2f2d69ee9224d0706f27bb0-1310789129; classtype:trojan-activity; sid:19703; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zboter.E outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"board/index.php"; http_client_body; content:"name|3D 22|data|22 3B 20|filename|3D|",nocase; content:"|0D 0A 0D 0A|rRH5",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=418815d5a60624acdd57ef600cd74186a6b46a729335c3bd2e8e4af2c41957ba-1308112352; classtype:trojan-activity; sid:19702; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MCnovogic.A outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?usuario=",nocase; content:"|26|x=",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=438d0355c3203af924166453db66ad8b0ff7aee611848b4dda43a9068bf14958-1309764834; classtype:trojan-activity; sid:19658; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FakeAV variant traffic"; flow:to_server; http_uri; content:"/1020",depth 5; pkt_data; content:"Windows NT 5.1)|0D 0A|"; content:"Accept: */*|0D 0A|",within 13; content:"Connection: close|0D 0A 0D 0A|",within 21; http_uri; pcre:"/\x2f1020\d{6,16}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=01631197b30df842136af481372f266ebbd9eabb392d4a6554b88d4e23433363-1309345508; classtype:trojan-activity; sid:19657; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Savnut.B outbound connection"; flow:to_server,established; content:"&id=",nocase; content:"&version",distance 0,nocase; content:"&vendor=",distance 0,nocase; content:"&do=",distance 0,nocase; content:"&check=chck",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4aad64ad4f2517983051818a818e449599f79ade89af672d0e90af53dcfff044-1307979492; classtype:trojan-activity; sid:19590; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Potao.A outbound connection"; flow:to_server,established; http_uri; content:"/task",nocase; http_client_body; content:"&code=",nocase; content:"&sdata=",nocase; content:"&dlen=",nocase; content:"&data=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d7a0f5b47e4fc181a306c276bd2b4b77155e165838451e82d62c1323f2aeac27-1308299017; classtype:trojan-activity; sid:19579; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Thinkpoint fake antivirus - credit card submission"; flow:to_server,established; http_uri; content:"bill.php",nocase; http_client_body; content:"cs1=roger",nocase; content:"product_id=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17816; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Thinkpoint fake antivirus - user display"; flow:to_server,established; http_uri; content:"index_new.php",nocase; content:"id=roger",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17815; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Rogue AV download/update attempt"; flow:to_server,established; http_uri; content:"|2F 3F|b|3D|1s1",fast_pattern,nocase; http_header; content:"Mozilla",nocase; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd-1274312088; classtype:trojan-activity; sid:16695; rev:5; )
-alert udp $HOME_NET any -> any 53 ( msg:"MALWARE-CNC Torpig bot sinkhole server DNS lookup"; flow:to_server; byte_test:1,!&,0xF8,2; content:"torpig-sinkhole|03|org",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/analisis/598c0628fb40a17405ee0a3146621460daeee46ac863810af822695153416a3f-1270655846; classtype:trojan-activity; sid:16693; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC TT-bot botnet variant outbound connection"; flow:to_server,established; http_header; content:"TT-Bot"; pkt_data; pcre:"/^User-Agent\x3A[^\r\n]*TT-Bot/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,anubis.iseclab.org/index.php?action=result&format=html&task_id=1494581651ca480640538ead93feabed2; classtype:trojan-activity; sid:16493; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface worm executable download"; flow:to_server,established; http_uri; content:"|2E|sys|2F 3F|getexe|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16670; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Spyeye bot variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|guid|3D|",nocase; content:"ccrc|3D|",fast_pattern,nocase; content:"ver|3D|",nocase; content:"stat|3D|",nocase; content:"cpu|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276; classtype:trojan-activity; sid:16669; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkwebot.A outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?uid=",nocase; content:"&ver=",nocase; content:"&traff=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=819550132c76f9ccaa51e87a332f0bace159ac47dc45932afd517e74ba692ed5-1311881202; classtype:trojan-activity; sid:19731; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KukuBot.A outbound connection"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; content:"|0A|User|2D|Agent|3A 20|KUKU v",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d9c46ecfc91366f43bf1a8e0172465fb3918cf3cf9339de82d47f5d8b1c84a75-1311886018; classtype:trojan-activity; sid:19730; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pherbot.A outbound connection"; flow:to_server,established; http_uri; content:"bot.php?hwid="; content:"&pcname=",distance 0,nocase; content:"&antwort=",distance 5,nocase; content:"&os=",distance 5,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=40e7e0697fc7ae87d98497cbef5a4891f9d98eb36b609ce18f8b871a41168490-1311358921; classtype:trojan-activity; sid:19723; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poshtroper.A outbound connection"; flow:to_server,established; http_uri; content:"/multireport/shop.php?fol=",nocase; content:"&ac=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=960e08967210caa1cf7587c7a25673f4fb611dbe575f0d437ba0b764b97e1461-1311016826; classtype:trojan-activity; sid:19722; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader W32.Genome.gen outbound connection"; flow:to_server,established; http_uri; content:"php?praquem=",nocase; content:"titulo=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=9b4c0118c802c3fc79c90764e9bf7c70e7efb8f04726785eb4f7f75f9785e61b-1307526633; classtype:trojan-activity; sid:19712; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|IE"; http_uri; content:"type|3D|stats",nocase; content:"affid|3D|508"; content:"subid|3D|new02",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=1e92508de36f878dceb369121364bd3d; classtype:trojan-activity; sid:19711; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.cer outbound connection"; flow:to_server,established; http_uri; content:"/com_plugin.php",nocase; http_client_body; content:"subject|3D|",nocase; content:"|26|message|3D|",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f0adcc846220d1fbcbba69929f48ce928650228e6216d3211b9a116111154f9d-1307493565; classtype:trojan-activity; sid:19706; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?dwId=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19705; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?inf=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; http_uri; pcre:"/\?inf\=[0-9a-f]{8}\x2Ex\d{2}\x2E\d{8}\x2E/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19704; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Dusta.br outbound connnection"; flow:to_server,established; http_uri; content:"/funtionsjs",nocase; http_header; content:"User-Agent|3A 20|vb|20|wininet|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=2083e1fca5aedbf9e496596933f92c62b532d01cb2f2d69ee9224d0706f27bb0-1310789129; classtype:trojan-activity; sid:19703; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zboter.E outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"board/index.php"; http_client_body; content:"name|3D 22|data|22 3B 20|filename|3D|",nocase; content:"|0D 0A 0D 0A|rRH5",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=418815d5a60624acdd57ef600cd74186a6b46a729335c3bd2e8e4af2c41957ba-1308112352; classtype:trojan-activity; sid:19702; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MCnovogic.A outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?usuario=",nocase; content:"|26|x=",within 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=438d0355c3203af924166453db66ad8b0ff7aee611848b4dda43a9068bf14958-1309764834; classtype:trojan-activity; sid:19658; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FakeAV variant traffic"; flow:to_server; http_uri; content:"/1020",depth 5; pkt_data; content:"Windows NT 5.1)|0D 0A|"; content:"Accept: */*|0D 0A|",within 13; content:"Connection: close|0D 0A 0D 0A|",within 21; http_uri; pcre:"/\x2f1020\d{6,16}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=01631197b30df842136af481372f266ebbd9eabb392d4a6554b88d4e23433363-1309345508; classtype:trojan-activity; sid:19657; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Savnut.B outbound connection"; flow:to_server,established; content:"&id=",nocase; content:"&version",distance 0,nocase; content:"&vendor=",distance 0,nocase; content:"&do=",distance 0,nocase; content:"&check=chck",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=4aad64ad4f2517983051818a818e449599f79ade89af672d0e90af53dcfff044-1307979492; classtype:trojan-activity; sid:19590; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Potao.A outbound connection"; flow:to_server,established; http_uri; content:"/task",nocase; http_client_body; content:"&code=",nocase; content:"&sdata=",nocase; content:"&dlen=",nocase; content:"&data=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d7a0f5b47e4fc181a306c276bd2b4b77155e165838451e82d62c1323f2aeac27-1308299017; classtype:trojan-activity; sid:19579; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Thinkpoint fake antivirus - credit card submission"; flow:to_server,established; http_uri; content:"bill.php",nocase; http_client_body; content:"cs1=roger",nocase; content:"product_id=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17816; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Thinkpoint fake antivirus - user display"; flow:to_server,established; http_uri; content:"index_new.php",nocase; content:"id=roger",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17815; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Rogue AV download/update attempt"; flow:to_server,established; http_uri; content:"|2F 3F|b|3D|1s1",fast_pattern,nocase; http_header; content:"Mozilla",nocase; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/analisis/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd-1274312088; classtype:trojan-activity; sid:16695; rev:5; )
+alert udp $HOME_NET any -> any 53 ( msg:"MALWARE-CNC Torpig bot sinkhole server DNS lookup"; flow:to_server; byte_test:1,!&,0xF8,2; content:"torpig-sinkhole|03|org",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/analisis/598c0628fb40a17405ee0a3146621460daeee46ac863810af822695153416a3f-1270655846; classtype:trojan-activity; sid:16693; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC TT-bot botnet variant outbound connection"; flow:to_server,established; http_header; content:"TT-Bot"; pkt_data; pcre:"/^User-Agent\x3A[^\r\n]*TT-Bot/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,anubis.iseclab.org/index.php?action=result&format=html&task_id=1494581651ca480640538ead93feabed2; classtype:trojan-activity; sid:16493; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface worm executable download"; flow:to_server,established; http_uri; content:"|2E|sys|2F 3F|getexe|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16670; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Spyeye bot variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|guid|3D|",nocase; content:"ccrc|3D|",fast_pattern,nocase; content:"ver|3D|",nocase; content:"stat|3D|",nocase; content:"cpu|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276; classtype:trojan-activity; sid:16669; rev:5; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: ( msg:"MALWARE-CNC Win.Trojan.XYTvn.A outbound connection"; flow:to_server,established; content:"XYTvn",depth 5,fast_pattern; content:"|00 00|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=be70ce81a9c241473d21c4d5a2250c1cb37b7bdbcea3bcf2ecf15742312c352a-1306259799; classtype:trojan-activity; sid:19358; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.bkhu outbound connection"; flow:to_server,established; http_uri; content:".php?codigo="; content:"id=",distance 0,nocase; content:"computador=",distance 0,nocase; content:"usuario_windows=",distance 0,fast_pattern,nocase; http_header; content:"User-Agent|3A 20|HTTP Client",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=77d739bbceea4008e90b6431d9836fbe643ef4c47788b4fd9fc82d7f07f22889-1303135417; classtype:trojan-activity; sid:19353; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyEye outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/_cp/gate.php"; http_header; content:!"Referrer",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d77c78e2072153e437f854aa3d677d8b985680d1b58fa48089a93889befac0c2-1304606417; classtype:trojan-activity; sid:19164; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/2wmcheckdir.cgi",fast_pattern; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|0PERA|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19019; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/whatismyip.cgi"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19018; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/CurlUpload"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19017; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/checkur1"; http_header; content:"User-Agent|3A 20|curl"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19016; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bredolab bot variant outbound connection"; flow:to_server,established; http_uri; content:"controller|2E|php|3F|action|3D|",nocase; content:"entity_list|3D|",distance 0,nocase; content:"rnd|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/getcfg.php"; http_method; content:"POST"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=cc2f69011f7d5b0e1cf578c76a24ab7ced949cebc9960f1374ad275cb18ca092-1304106070; reference:url,www.virustotal.com/file-scan/report.html?id=f0317f48f1dfd0a9a9008985493f3bf310871dc6e2767b18aef8310328e007c2-1264118955; reference:url,www.virustotal.com/file/ad007bcb943baf5365f9c4bb3ef378e5ec83847aabed33544dd013fabc535482/analysis/; classtype:trojan-activity; sid:18939; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.bkhu outbound connection"; flow:to_server,established; http_uri; content:".php?codigo="; content:"id=",distance 0,nocase; content:"computador=",distance 0,nocase; content:"usuario_windows=",distance 0,fast_pattern,nocase; http_header; content:"User-Agent|3A 20|HTTP Client",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=77d739bbceea4008e90b6431d9836fbe643ef4c47788b4fd9fc82d7f07f22889-1303135417; classtype:trojan-activity; sid:19353; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyEye outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/_cp/gate.php"; http_header; content:!"Referrer",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=d77c78e2072153e437f854aa3d677d8b985680d1b58fa48089a93889befac0c2-1304606417; classtype:trojan-activity; sid:19164; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/2wmcheckdir.cgi",fast_pattern; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|0PERA|3A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19019; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/whatismyip.cgi"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19018; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/CurlUpload"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19017; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/checkur1"; http_header; content:"User-Agent|3A 20|curl"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19016; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bredolab bot variant outbound connection"; flow:to_server,established; http_uri; content:"controller|2E|php|3F|action|3D|",nocase; content:"entity_list|3D|",distance 0,nocase; content:"rnd|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/getcfg.php"; http_method; content:"POST"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=cc2f69011f7d5b0e1cf578c76a24ab7ced949cebc9960f1374ad275cb18ca092-1304106070; reference:url,www.virustotal.com/file-scan/report.html?id=f0317f48f1dfd0a9a9008985493f3bf310871dc6e2767b18aef8310328e007c2-1264118955; reference:url,www.virustotal.com/file/ad007bcb943baf5365f9c4bb3ef378e5ec83847aabed33544dd013fabc535482/analysis/; classtype:trojan-activity; sid:18939; rev:6; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Ozdok botnet communication with C&C server"; flow:to_server,established; content:"|DB FD 37 7F 11 01 B9 E5|",depth 8,offset 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=254127ba9396a3b52c3755cce44ade03; classtype:trojan-activity; sid:18715; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic -- Coreflood"; flow:to_server,established; http_client_body; content:"r=",nocase; content:"&os=",distance 0,nocase; content:"&panic=",distance 0,nocase; content:"&input=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=707505ccfd2c91901457c2ede96daa21; classtype:trojan-activity; sid:18934; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon keepalive message"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|03 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon initial beacon"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|01 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface request for captcha"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/temp/",nocase; pcre:"/^\x2Fcap\x2Ftemp\x2F[A-Za-z0-9]+\x2Ejpg/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16485; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/?a=get&i=",nocase; pkt_data; pcre:"/\d+&/miR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/reklam/config",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=2a2419d34c7990297d9a2f7413a9af2a; classtype:trojan-activity; sid:16528; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/dofyru.bmp",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=4cc069b84270be48bd84b7068dc3bf1a; classtype:trojan-activity; sid:16527; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic -- Coreflood"; flow:to_server,established; http_client_body; content:"r=",nocase; content:"&os=",distance 0,nocase; content:"&panic=",distance 0,nocase; content:"&input=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=707505ccfd2c91901457c2ede96daa21; classtype:trojan-activity; sid:18934; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon keepalive message"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|03 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon initial beacon"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|01 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface request for captcha"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/temp/",nocase; pcre:"/^\x2Fcap\x2Ftemp\x2F[A-Za-z0-9]+\x2Ejpg/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16485; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/?a=get&i=",nocase; pkt_data; pcre:"/\d+&/miR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/reklam/config",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=2a2419d34c7990297d9a2f7413a9af2a; classtype:trojan-activity; sid:16528; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/dofyru.bmp",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=4cc069b84270be48bd84b7068dc3bf1a; classtype:trojan-activity; sid:16527; rev:5; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 7382 ( msg:"MALWARE-CNC VanBot IRC communication"; flow:to_server,established; content:"JOIN |23|siwa"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,owned-nets.blogspot.com/2009/05/italianswiifatecihnocombaadshah-from.html; classtype:trojan-activity; sid:16526; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.command and control communication"; flow:to_server,established; http_header; content:"Ryeol HTTP Client Class",nocase; content:"jaiku.com",nocase; pcre:"/^User\x2DAgent\x3A\s+Ryeol\s+HTTP\s+Client\s+Class/smi"; pcre:"/^Host\x3A\s+.*jaiku\x2Ecom/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=9a546564bf213ff866f48848f0f14027; classtype:trojan-activity; sid:16459; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi Win.Trojan.connection to C&C"; flow:to_server; http_uri; content:"user_id=",nocase; content:"version_id=",nocase; content:"passphrase="; content:"socks=",nocase; content:"version=",nocase; content:"crc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1264446753; classtype:trojan-activity; sid:16391; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.command and control communication"; flow:to_server,established; http_header; content:"Ryeol HTTP Client Class",nocase; content:"jaiku.com",nocase; pcre:"/^User\x2DAgent\x3A\s+Ryeol\s+HTTP\s+Client\s+Class/smi"; pcre:"/^Host\x3A\s+.*jaiku\x2Ecom/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=9a546564bf213ff866f48848f0f14027; classtype:trojan-activity; sid:16459; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi Win.Trojan.connection to C&C"; flow:to_server; http_uri; content:"user_id=",nocase; content:"version_id=",nocase; content:"passphrase="; content:"socks=",nocase; content:"version=",nocase; content:"crc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/de/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1264446753; classtype:trojan-activity; sid:16391; rev:8; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Hydraq/Aurora connection to C&C server"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/analisis/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c-1263878624; classtype:trojan-activity; sid:16368; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request"; flow:to_server; content:"proxim|09|ircgalaxy|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16304; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request"; flow:to_server; content:"put|05|ghura|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16303; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request for C&C"; flow:to_server; content:"irc|04|zief|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16302; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request"; flow:to_server; content:"bfisback|05|no-ip|03|org",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:misc-activity; sid:16299; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request"; flow:to_server; content:"qwertasdfg|05|sinip|02|es",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:misc-activity; sid:16298; rev:5; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request for C&C"; flow:to_server; content:"butterfly|05|sinip|02|es",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:trojan-activity; sid:16297; rev:5; )
-alert tcp $HOME_NET 27374 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC SubSeven client connection to server"; flow:to_client,established; content:"connected.",nocase; content:"Legends",distance 0,fast_pattern,nocase; pcre:"/^connected\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\s+Legends\s2\x2e1/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=da8d7529a8a37335064ade9d04df08ad; classtype:trojan-activity; sid:15938; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"tip=",nocase; content:"&cli=",distance 0,nocase; content:"&tipo=",distance 0,nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality virus HTTP GET request"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; pcre:"/\x2Fmrow\x5Fpin\x2F\x3Fid\d+[a-z]{5,}\d{5}\x26rnd\x3D\d+/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=b61aaef4d4dfbddbd8126c987fb77374; classtype:trojan-activity; sid:15553; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zeus/Zbot malware config file download request"; flow:to_server; http_uri; content:"/w/update.dat",nocase; http_header; content:"Host|3A| chartseye.cn",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=21782783; classtype:trojan-activity; sid:15481; rev:9; )
-alert tcp $HOME_NET any -> 85.17.3.250 80 ( msg:"MALWARE-CNC Trojan.Duntek Checkin GET Request"; flow:to_server,established; http_uri; content:"cmp=dun_tek",nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2; classtype:trojan-activity; sid:10403; rev:9; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request"; flow:to_server; content:"proxim|09|ircgalaxy|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16304; rev:5; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request"; flow:to_server; content:"put|05|ghura|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16303; rev:5; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Virut DNS request for C&C"; flow:to_server; content:"irc|04|zief|02|pl",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16302; rev:5; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request"; flow:to_server; content:"bfisback|05|no-ip|03|org",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:misc-activity; sid:16299; rev:5; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request"; flow:to_server; content:"qwertasdfg|05|sinip|02|es",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:misc-activity; sid:16298; rev:5; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Palevo bot DNS request for C&C"; flow:to_server; content:"butterfly|05|sinip|02|es",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492; classtype:trojan-activity; sid:16297; rev:5; )
+alert tcp $HOME_NET 27374 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC SubSeven client connection to server"; flow:to_client,established; content:"connected.",nocase; content:"Legends",distance 0,fast_pattern,nocase; pcre:"/^connected\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\s+Legends\s2\x2e1/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=da8d7529a8a37335064ade9d04df08ad; classtype:trojan-activity; sid:15938; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"tip=",nocase; content:"&cli=",distance 0,nocase; content:"&tipo=",distance 0,nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality virus HTTP GET request"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; pcre:"/\x2Fmrow\x5Fpin\x2F\x3Fid\d+[a-z]{5,}\d{5}\x26rnd\x3D\d+/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=b61aaef4d4dfbddbd8126c987fb77374; classtype:trojan-activity; sid:15553; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zeus/Zbot malware config file download request"; flow:to_server; http_uri; content:"/w/update.dat",nocase; http_header; content:"Host|3A| chartseye.cn",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=21782783; classtype:trojan-activity; sid:15481; rev:9; )
+alert tcp $HOME_NET any -> 85.17.3.250 80 ( msg:"MALWARE-CNC Trojan.Duntek Checkin GET Request"; flow:to_server,established; http_uri; content:"cmp=dun_tek",nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2; classtype:trojan-activity; sid:10403; rev:9; )
 alert udp $HOME_NET 7871 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Peacomm command and control propagation detected"; flow:to_server; content:"|E3 0C|",depth 2; content:"|00 00 00 00 A0 0F 00|",depth 7,offset 18; detection_filter:track by_src, count 100, seconds 300; metadata:impact_flag red,policy balanced-ips alert,policy security-ips alert; classtype:trojan-activity; sid:10114; rev:11; )
 alert udp $HOME_NET 4000 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Peacomm command and control propagation detected"; flow:to_server; content:"|E3 0C|",depth 2; content:"|00 00 00 00 A0 0F 00|",depth 7,offset 18; detection_filter:track by_src, count 100, seconds 300; metadata:impact_flag red,policy balanced-ips alert,policy security-ips alert; classtype:trojan-activity; sid:10113; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC bagle.a http notification detection"; flow:to_server,established; http_uri; content:"/1.php?p=",nocase; http_header; content:"User-Agent|3A|",nocase; content:"beagle_beagle",fast_pattern,nocase; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smi"; metadata:impact_flag red,policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9418; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ping.txt?u=",nocase; content:"pg=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16833.html; classtype:trojan-activity; sid:16833; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/LockIeHome/?mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16832.html; classtype:trojan-activity; sid:16832; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/indeh.php",nocase; content:"&v=5&z=com&s=f01",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16828.html; classtype:trojan-activity; sid:16828; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/code/pop_data3.asp?f=48843&t=a",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16827.html; classtype:trojan-activity; sid:16827; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/p6.asp?MAC=",nocase; content:"Publicer=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16826.html; classtype:trojan-activity; sid:16826; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/bar/v16-106/c1/jsc/fmr.js?c=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16824.html; classtype:trojan-activity; sid:16824; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FlyStudio known command and control channel traffic"; flow:to_server,established; http_uri; content:"/piao1.asp?AC=",nocase; http_header; content:"Content-Length|3A 20|0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16823.html; classtype:trojan-activity; sid:16823; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/clcount/ip.asp?action=install&mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16822.html; classtype:trojan-activity; sid:16822; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:".php?ini=v22M",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16820.html; classtype:trojan-activity; sid:16820; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ll.php?v=3",nocase; content:"wm_id=acc00",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16817.html; classtype:trojan-activity; sid:16817; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ue000/38sw.e?uid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16816.html; classtype:trojan-activity; sid:16816; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/vscript/vercheck.psc?pcrc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16812.html; classtype:trojan-activity; sid:16812; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/perce/",nocase; content:"qwerce.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16811.html; classtype:trojan-activity; sid:16811; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/werber/",nocase; content:"217.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16810.html; classtype:trojan-activity; sid:16810; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"borders.php",nocase; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16809.html; classtype:trojan-activity; sid:16809; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC bagle.a http notification detection"; flow:to_server,established; http_uri; content:"/1.php?p=",nocase; http_header; content:"User-Agent|3A|",nocase; content:"beagle_beagle",fast_pattern,nocase; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smi"; metadata:impact_flag red,policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9418; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ping.txt?u=",nocase; content:"pg=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16833.html; classtype:trojan-activity; sid:16833; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/LockIeHome/?mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16832.html; classtype:trojan-activity; sid:16832; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/indeh.php",nocase; content:"&v=5&z=com&s=f01",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16828.html; classtype:trojan-activity; sid:16828; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/code/pop_data3.asp?f=48843&t=a",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16827.html; classtype:trojan-activity; sid:16827; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/p6.asp?MAC=",nocase; content:"Publicer=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16826.html; classtype:trojan-activity; sid:16826; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/bar/v16-106/c1/jsc/fmr.js?c=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16824.html; classtype:trojan-activity; sid:16824; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FlyStudio known command and control channel traffic"; flow:to_server,established; http_uri; content:"/piao1.asp?AC=",nocase; http_header; content:"Content-Length|3A 20|0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16823.html; classtype:trojan-activity; sid:16823; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/clcount/ip.asp?action=install&mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16822.html; classtype:trojan-activity; sid:16822; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:".php?ini=v22M",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16820.html; classtype:trojan-activity; sid:16820; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ll.php?v=3",nocase; content:"wm_id=acc00",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16817.html; classtype:trojan-activity; sid:16817; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ue000/38sw.e?uid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16816.html; classtype:trojan-activity; sid:16816; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/vscript/vercheck.psc?pcrc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16812.html; classtype:trojan-activity; sid:16812; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/perce/",nocase; content:"qwerce.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16811.html; classtype:trojan-activity; sid:16811; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/werber/",nocase; content:"217.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16810.html; classtype:trojan-activity; sid:16810; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"borders.php",nocase; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.snort.org/docs/16809.html; classtype:trojan-activity; sid:16809; rev:7; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1001 ( msg:"MALWARE-CNC Win.Trojan.Hioles.C outbound connection"; flow:to_server,established; content:"|85 B2 04 77 CE 38 E0 33|",depth 8; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/5cdbab3bf4cb3b64cb27d7c40370cb5788d5e0662eb33bc8f9f178818bcc6a1d/analysis/; classtype:trojan-activity; sid:23391; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor outbound connection"; flow:to_server,established; http_uri; content:"/registraMaquina*/",nocase; http_header; content:"User-Agent|3A| Clickteam"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23945; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor file download"; flow:to_server,established; http_uri; content:"/_libs/wget.exe"; http_header; content:"User-Agent|3A| Compressor ZIP do Windows"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23946; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kryptik.Kazy outbound connection"; flow:to_server,established; http_client_body; content:"|07 00 00 00|",depth 4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 0E 00 00 00 0A 0F 10 11 1B 2E|",within 30,distance 4,fast_pattern,fast_pattern_offset 10,fast_pattern_length 20; content:"|15 12 0E 0F 18 31|",within 6,distance 42; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2d8e630ecffa5d95db6a1a9cc430e6e72d59649575cfc29c8602155955541f41/analysis/; classtype:trojan-activity; sid:23987; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.alqt variant outbound connection"; flow:to_server,established; content:"|47 68 30 73 74|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9c86fa9e7b4a8b10cc2a21d5b89ae310; classtype:trojan-activity; sid:19484; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Httpbot.qdc variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|getCmd|26|id|3D|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=baa26783d7e5af6e3336a20e83d5a018737971a322807936a3f8d5ee48fb261c-1286289927; classtype:trojan-activity; sid:19052; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"<html><title>",depth 13; content:"</title><body>",within 48; content:!"</body>"; content:!"<head>"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21945; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"|96 F4 F6 F6|",depth 64; isdataat:128,relative; content:"|FE F6 F0 F6|",within 384,distance 128; content:"|F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21946; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gosik.A registration"; flow:to_server,established; http_uri; content:"|2F|connect|2E|php|3F|action|3D|getcomm|26|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; content:!"|0A|User-Agent|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=95c5614d629f06ca58e1743ccede027bc16c028344a8d004b4a48a4c3a9382dd-1287167398; classtype:trojan-activity; sid:19055; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Coswid.klk outbound connection"; flow:to_server,established; http_uri; content:"/update.png",nocase; http_header; content:"User-Agent|3A| ",nocase; content:"+Mozilla/4.0",within 30,nocase; content:"MSIE 8.0|3B| Win32",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/28414CF6120E4EF72E3F4669A0824465405C2FD757B3502BDCD319C9D69AF3BF/analysis/; classtype:trojan-activity; sid:22103; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Mecklow.C runtime traffic detected"; flow:to_server,established; content:"|2F|aws",depth 4,offset 4,nocase; content:"|2E|jsp|3F|",within 9,distance 1,nocase; pcre:"/\x2Faws\d{1,5}\.jsp\x3F/i"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=4b873858b58be4b47013545420f27759; classtype:trojan-activity; sid:20837; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 4455 ( msg:"MALWARE-CNC Win.Trojan.RShot.brw outbound connection"; flow:to_server,established; dsize:<120; content:"connected#",depth 10; content:"#Windows",distance 0; pcre:"/\x23\d{2}\x3a\d{2}\x3a\d\d$/R"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=6794c1cb09ec3f42f2732369c8c25a5999eb908262cd75d1a4cda4d25adf8a37-1325372956l; classtype:trojan-activity; sid:21208; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor outbound connection"; flow:to_server,established; http_uri; content:"/registraMaquina*/",nocase; http_header; content:"User-Agent|3A| Clickteam"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23945; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor file download"; flow:to_server,established; http_uri; content:"/_libs/wget.exe"; http_header; content:"User-Agent|3A| Compressor ZIP do Windows"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23946; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kryptik.Kazy outbound connection"; flow:to_server,established; http_client_body; content:"|07 00 00 00|",depth 4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 0E 00 00 00 0A 0F 10 11 1B 2E|",within 30,distance 4,fast_pattern,fast_pattern_offset 10,fast_pattern_length 20; content:"|15 12 0E 0F 18 31|",within 6,distance 42; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2d8e630ecffa5d95db6a1a9cc430e6e72d59649575cfc29c8602155955541f41/analysis/; classtype:trojan-activity; sid:23987; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.alqt variant outbound connection"; flow:to_server,established; content:"|47 68 30 73 74|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=9c86fa9e7b4a8b10cc2a21d5b89ae310; classtype:trojan-activity; sid:19484; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Httpbot.qdc variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|getCmd|26|id|3D|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=baa26783d7e5af6e3336a20e83d5a018737971a322807936a3f8d5ee48fb261c-1286289927; classtype:trojan-activity; sid:19052; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"<html><title>",depth 13; content:"</title><body>",within 48; content:!"</body>"; content:!"<head>"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21945; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"|96 F4 F6 F6|",depth 64; isdataat:128,relative; content:"|FE F6 F0 F6|",within 384,distance 128; content:"|F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21946; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gosik.A registration"; flow:to_server,established; http_uri; content:"|2F|connect|2E|php|3F|action|3D|getcomm|26|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; content:!"|0A|User-Agent|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=95c5614d629f06ca58e1743ccede027bc16c028344a8d004b4a48a4c3a9382dd-1287167398; classtype:trojan-activity; sid:19055; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Coswid.klk outbound connection"; flow:to_server,established; http_uri; content:"/update.png",nocase; http_header; content:"User-Agent|3A| ",nocase; content:"+Mozilla/4.0",within 30,nocase; content:"MSIE 8.0|3B| Win32",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,virustotal.com/file/28414CF6120E4EF72E3F4669A0824465405C2FD757B3502BDCD319C9D69AF3BF/analysis/; classtype:trojan-activity; sid:22103; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Mecklow.C runtime traffic detected"; flow:to_server,established; content:"|2F|aws",depth 4,offset 4,nocase; content:"|2E|jsp|3F|",within 9,distance 1,nocase; pcre:"/\x2Faws\d{1,5}\.jsp\x3F/i"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:url,www.virustotal.com/latest-report.html?resource=4b873858b58be4b47013545420f27759; classtype:trojan-activity; sid:20837; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4455 ( msg:"MALWARE-CNC Win.Trojan.RShot.brw outbound connection"; flow:to_server,established; dsize:<120; content:"connected#",depth 10; content:"#Windows",distance 0; pcre:"/\x23\d{2}\x3a\d{2}\x3a\d\d$/R"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=6794c1cb09ec3f42f2732369c8c25a5999eb908262cd75d1a4cda4d25adf8a37-1325372956l; classtype:trojan-activity; sid:21208; rev:4; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: ( msg:"MALWARE-CNC Win.Trojan.Msposer.A outbound connection"; flow:to_server,established; content:"Connected|3E|",depth 13,nocase; content:"AT Port|23|",within 16,distance 8,nocase; content:"|7C 3C 3E 7C|",within 8,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/latest-report.html?resource=22C1887EC4E18E5800D1527CF5765372; classtype:trojan-activity; sid:19767; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C Runtime Detection"; flow:to_server,established; http_uri; content:"/l.php"; content:"cashingDeny=",distance 0; content:"winver=",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=22e5542569911f89a87f010b4219a59e84fd9855bafd41a7e0cc3c391cd0aaa4-1260727906; classtype:trojan-activity; sid:19429; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C Runtime Detection"; flow:to_server,established; http_uri; content:"/l.php"; content:"cashingDeny=",distance 0; content:"winver=",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=22e5542569911f89a87f010b4219a59e84fd9855bafd41a7e0cc3c391cd0aaa4-1260727906; classtype:trojan-activity; sid:19429; rev:4; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 ( msg:"MALWARE-CNC Win.Trojan.Litmus.203 outbound connection"; flow:to_server,established; content:"JOIN|20|#radarr|20|dalar",depth 18,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=dba3ad588abc952a6bedf1ac225b011d78bf2f391a33e1fd6be83ad37cefa51c-1257885068; classtype:trojan-activity; sid:19435; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC PointGuide outbound connection"; flow:to_server,established; http_uri; content:"/cont/proid.txt"; http_header; content:"reward|2E|pointguide|2E|kr",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2ef41c20bdadd9d85da91a68639f8ea8d733537ecbba7280ecbcbb31bfa3b2fe-1234376606; classtype:trojan-activity; sid:19328; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Agent.alda outbound connection"; flow:to_server,established; http_uri; content:"/mydown.asp"; content:"ver=",distance 0; content:"tgid=",distance 0; content:"address=",distance 0; http_header; content:"www|2E|qqcjidc|2E|cn",fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4d875250872a1c6ec7d47be59ed7d244c2b9ce06a65ff251763e74adb5e2641d-1247780429; classtype:trojan-activity; sid:19339; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC PointGuide outbound connection"; flow:to_server,established; http_uri; content:"/cont/proid.txt"; http_header; content:"reward|2E|pointguide|2E|kr",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=2ef41c20bdadd9d85da91a68639f8ea8d733537ecbba7280ecbcbb31bfa3b2fe-1234376606; classtype:trojan-activity; sid:19328; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Agent.alda outbound connection"; flow:to_server,established; http_uri; content:"/mydown.asp"; content:"ver=",distance 0; content:"tgid=",distance 0; content:"address=",distance 0; http_header; content:"www|2E|qqcjidc|2E|cn",fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=4d875250872a1c6ec7d47be59ed7d244c2b9ce06a65ff251763e74adb5e2641d-1247780429; classtype:trojan-activity; sid:19339; rev:5; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1868 ( msg:"MALWARE-CNC Win.Trojan.Poison.banr outbound connection"; flow:to_server,established; content:"USER|20|"; content:"|20 2A 20 30 20 3A|",distance 0; pcre:"/^USER\x20(XP|98|95|NT|ME|WIN|2K3)\x2d\d+\x20\x2a\x20\x30\x20\x3a/mi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=90eebe2201ea28a6c697dc5984b59ec1; classtype:trojan-activity; sid:19347; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.FraudLoad.emq outbound connection"; flow:to_server,established; http_uri; content:"/fff9999.php"; pkt_data; content:"mgjmnfgbdfb|2E|com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3794798f5eeb53dd71001e4454f006c871eb7c9085e1bf5336efa07b70d7b38d-1246897098; classtype:trojan-activity; sid:19348; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Clicker Win.Trojan.Hatigh.C outbound connection"; flow:to_server,established; http_uri; content:"/tmp/sh.php"; http_header; content:"quikup|2E|info"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30c6c5561d610ccbd22e88b8265aaa4bd7e17a8e139c7e9aedc645c85ef40910-1259851653; classtype:trojan-activity; sid:19351; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Sohanad.ila outbound connection"; flow:to_server,established; http_uri; content:"/poojasharma/setting.ini"; http_header; content:"User-Agent|3A 20|AutoIt"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ec3aeafcc48aa50ef2a2f51ce9d50bd3a8d0989dca85966a20552527540cc5ac-1296912342; classtype:trojan-activity; sid:19357; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; http_uri; content:"/tdss/"; pkt_data; content:"Host|3A| yournewsblog.net",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; http_uri; content:"/botmon/readdata/"; pkt_data; content:"Host|3A| findzproportal1.com",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo client communication"; flow:to_server,established; http_uri; content:"/40e800",depth 7,nocase; pcre:"/^\x2F40e800[0-9A-F]{30,}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/; classtype:trojan-activity; sid:15165; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC y3k 1.2 variant outbound connection icq notification"; flow:to_server,established; content:"from=Y3K",nocase; content:"Server",distance 0,nocase; content:"fromemail=y3k",distance 0,nocase; content:"subject=Y3K",distance 0,nocase; content:"online",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:7; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP"; flow:to_server; content:"|08 00 45|",depth 3,offset 12; content:"|00 00|",within 7,distance 5; content:"|06|",within 1,distance 1; content:"|00 00 00 00|",within 22,distance 18; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/7dde04222d364b6becbc2f36d30ce59a5ec25bf4c3577d0979bb1b874c06d5dc/analysis/; classtype:trojan-activity; sid:24087; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.FraudLoad.emq outbound connection"; flow:to_server,established; http_uri; content:"/fff9999.php"; pkt_data; content:"mgjmnfgbdfb|2E|com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=3794798f5eeb53dd71001e4454f006c871eb7c9085e1bf5336efa07b70d7b38d-1246897098; classtype:trojan-activity; sid:19348; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Clicker Win.Trojan.Hatigh.C outbound connection"; flow:to_server,established; http_uri; content:"/tmp/sh.php"; http_header; content:"quikup|2E|info"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=30c6c5561d610ccbd22e88b8265aaa4bd7e17a8e139c7e9aedc645c85ef40910-1259851653; classtype:trojan-activity; sid:19351; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Sohanad.ila outbound connection"; flow:to_server,established; http_uri; content:"/poojasharma/setting.ini"; http_header; content:"User-Agent|3A 20|AutoIt"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=ec3aeafcc48aa50ef2a2f51ce9d50bd3a8d0989dca85966a20552527540cc5ac-1296912342; classtype:trojan-activity; sid:19357; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; http_uri; content:"/tdss/"; pkt_data; content:"Host|3A| yournewsblog.net",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; http_uri; content:"/botmon/readdata/"; pkt_data; content:"Host|3A| findzproportal1.com",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo client communication"; flow:to_server,established; http_uri; content:"/40e800",depth 7,nocase; pcre:"/^\x2F40e800[0-9A-F]{30,}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/; classtype:trojan-activity; sid:15165; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC y3k 1.2 variant outbound connection icq notification"; flow:to_server,established; content:"from=Y3K",nocase; content:"Server",distance 0,nocase; content:"fromemail=y3k",distance 0,nocase; content:"subject=Y3K",distance 0,nocase; content:"online",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:7; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP"; flow:to_server; content:"|08 00 45|",depth 3,offset 12; content:"|00 00|",within 7,distance 5; content:"|06|",within 1,distance 1; content:"|00 00 00 00|",within 22,distance 18; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; reference:url,www.virustotal.com/file/7dde04222d364b6becbc2f36d30ce59a5ec25bf4c3577d0979bb1b874c06d5dc/analysis/; classtype:trojan-activity; sid:24087; rev:4; )
 alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP"; content:"|08 00 45|",depth 3,offset 12; content:"|00 00|",within 7,distance 5; content:"|06|",within 1,distance 1; content:"|00 00 00 00|",within 22,distance 18; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/7dde04222d364b6becbc2f36d30ce59a5ec25bf4c3577d0979bb1b874c06d5dc/analysis/; classtype:trojan-activity; sid:24088; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; content:"|78 9C 2B 4B 2D B2 35 54 CB C9 4F CF CC B3 CD 2E CD CE 49 4C CE 48 2D 53 CB 4D 4C 2E CA 2F 4E 2D 8E 2F|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/14429942c5fa23cb0364880280c92f2122f22a60cd3f5c1cff3662ecfd92a8d5/analysis/; classtype:trojan-activity; sid:24169; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Work.Rokiwobi inbound command from C&C"; flow:to_client,established; file_data; content:"cmdtimer~~",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/8ec9b371b8a2092ffe93ac32e5029911c118256504fb9ba1426830010a513119/analysis/; classtype:trojan-activity; sid:24185; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RAT update protocol connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/update?id="; http_header; content:"X-Session:",nocase; content:"X-Status:",nocase; content:"X-Size:",nocase; content:"X-Sn:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24211; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Seveto variant outbound connection"; flow:to_server,established; http_uri; content:"/svcs.php"; content:"m|3D|"; content:"v|3D|"; content:"s|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f7da52bf05bfd32f503ee653a1e1b22ad5a6b00597ebbe172158db12c9a75ff2/analysis/; classtype:trojan-activity; sid:24214; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_uri; content:"/index_post.php"; http_client_body; content:"tipo|3D|",nocase; content:"XP|3D|",nocase; content:"OUTROS|3D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e82b4000b71c4b01f361556422bafbdc8f148072fe74e2a1667e85a7ae94cb5a/analysis/; classtype:trojan-activity; sid:24215; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Biloky variant outbound connection"; flow:to_server,established; http_uri; content:"/loc/gate.php|3F|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSlE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/41d6db389438c2ca66262e64152a9e9f8cde55d3643a387a6241d7a2431c8ce5/analysis/; classtype:trojan-activity; sid:24216; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; http_uri; content:"/1.php",nocase; http_client_body; content:"name|3D 22|nome|22|",nocase; content:"name|3D 22|texto|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24217; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication"; flow:to_server,established; http_uri; content:"/counter.img?theme=",nocase; content:"&digits=10&siteId=",distance 0,fast_pattern,nocase; pcre:"/counter.img\?theme\=\d+\&digits\=10\&siteId\=\d+$/i"; http_header; content:"User-Agent|3A 20|Opera/9 (Win"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity; sid:24224; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo initial infection outbound connection"; flow:to_server,established; http_uri; content:"/AES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/AES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24235; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo post infection outbound connection"; flow:to_server,established; http_uri; content:"/DES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/DES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24236; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logo.gif URLs"; flow:to_server,established; http_uri; content:"/logo.gif?"; pcre:"/\x2Flogo\.gif\x3F[0-9a-f]{5,7}=\d{5,7}/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fSality.AT; classtype:trojan-activity; sid:24255; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nomno variant outbound connection"; flow:to_server,established; content:"c|3D|"; content:"shell|5F|exec"; http_cookie; content:"c|3D|"; content:"shell|5F|exec"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24285; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi.Prinimalka variant outbound connection"; flow:to_server,established; http_uri; content:"/system/prinimalka.py/"; content:"user_id="; content:"version_id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/39009996a0f1c9deca07bd63c53741e7c2081820fbc8b84e0f6375b5f529fae7/analysis/; classtype:trojan-activity; sid:24361; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/reportmac.asp",nocase; http_header; content:"User-Agent: http"; http_uri; content:"anma=",nocase; content:"zhanghao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e2636ae650252d760e15b13d80603d48081ebb664e6143fe1a257b4cd015d2c0/analysis/; classtype:trojan-activity; sid:24375; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/mn.php?ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24381; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24382; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/feed.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(cache.dyndns.info|flashcenter.info|flashrider.org|webapp.serveftp.com|web.autoflash.info|webupdate.dyndns.info|webupdate.hopto.org|web.velocitycache.com)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24406; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/counter.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(194.192.14.125|202.75.58.179|flashupdates.info|nvidiadrivers.info|nvidiasoft.info|nvidiastream.info|rendercodec.info|syncstream.info|videosync.info)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop,service http; reference:url,www.virustotal.com/file/741c49af3dbc11c14327bb7447dbade53f15cd59b17f1d359162d9ddbfdc1191/analysis/; classtype:trojan-activity; sid:24407; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chiviper outbound connection"; flow:to_server,established; http_uri; content:"d10="; content:"d11="; content:"d21="; content:"d22="; http_header; content:"User-Agent|3A| Example"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24440; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chif variant outbound connection"; flow:to_server,established; http_uri; content:"/?f=ZnRwOi8v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3d5f26b36d57268e01c60ad1fd0d6b36bd4fdc3b2e83cea231b1f9ff635a6f50/analysis; classtype:trojan-activity; sid:24482; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection"; flow:to_server,established; http_uri; content:"/cgi-bin/r.cgi",depth 14,nocase; content:"?p=",distance 0,nocase; content:"&m=",distance 0,nocase; content:"&h=",distance 32,nocase; content:"&u=",distance 0,nocase; content:"&q=",distance 0,nocase; content:"&t=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www9.dyndns-server.com:8080/pub/botnet-links.html; classtype:attempted-user; sid:24491; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/se/",nocase; isdataat:100,relative; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:24492; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/html/license_",nocase; isdataat:550,relative; pcre:"/\/html\/license_[0-9A-F]{550,}\.html$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24493; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/images2/",nocase; isdataat:500,relative; http_uri; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24494; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/rokfeller3.cgi?v=11"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24495; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/shopping3.cgi?a="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:24496; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/unshopping3.cgi?b="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:24497; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/omerta/Mail/Mail1.3.php?"; content:"OS=Windows",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f7eff299783ff52a27fb25f479868eebb4e838ef8a5af0b123d316a712b522e8/analysis/; classtype:trojan-activity; sid:24504; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Lucuis variant outbound connection"; flow:to_server,established; content:"user_login.php"; content:"|8D F3 75 EA DC|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service ssl; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:24514; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; content:"|78 9C 2B 4B 2D B2 35 54 CB C9 4F CF CC B3 CD 2E CD CE 49 4C CE 48 2D 53 CB 4D 4C 2E CA 2F 4E 2D 8E 2F|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/14429942c5fa23cb0364880280c92f2122f22a60cd3f5c1cff3662ecfd92a8d5/analysis/; classtype:trojan-activity; sid:24169; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Work.Rokiwobi inbound command from C&C"; flow:to_client,established; file_data; content:"cmdtimer~~",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/8ec9b371b8a2092ffe93ac32e5029911c118256504fb9ba1426830010a513119/analysis/; classtype:trojan-activity; sid:24185; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RAT update protocol connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/update?id="; http_header; content:"X-Session:",nocase; content:"X-Status:",nocase; content:"X-Size:",nocase; content:"X-Sn:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:24211; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Seveto variant outbound connection"; flow:to_server,established; http_uri; content:"/svcs.php"; content:"m|3D|"; content:"v|3D|"; content:"s|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f7da52bf05bfd32f503ee653a1e1b22ad5a6b00597ebbe172158db12c9a75ff2/analysis/; classtype:trojan-activity; sid:24214; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_uri; content:"/index_post.php"; http_client_body; content:"tipo|3D|",nocase; content:"XP|3D|",nocase; content:"OUTROS|3D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/e82b4000b71c4b01f361556422bafbdc8f148072fe74e2a1667e85a7ae94cb5a/analysis/; classtype:trojan-activity; sid:24215; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Biloky variant outbound connection"; flow:to_server,established; http_uri; content:"/loc/gate.php|3F|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSlE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/41d6db389438c2ca66262e64152a9e9f8cde55d3643a387a6241d7a2431c8ce5/analysis/; classtype:trojan-activity; sid:24216; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; http_uri; content:"/1.php",nocase; http_client_body; content:"name|3D 22|nome|22|",nocase; content:"name|3D 22|texto|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24217; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication"; flow:to_server,established; http_uri; content:"/counter.img?theme=",nocase; content:"&digits=10&siteId=",distance 0,fast_pattern,nocase; pcre:"/counter.img\?theme\=\d+\&digits\=10\&siteId\=\d+$/i"; http_header; content:"User-Agent|3A 20|Opera/9 (Win"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity; sid:24224; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo initial infection outbound connection"; flow:to_server,established; http_uri; content:"/AES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/AES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24235; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo post infection outbound connection"; flow:to_server,established; http_uri; content:"/DES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/DES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24236; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logo.gif URLs"; flow:to_server,established; http_uri; content:"/logo.gif?"; pcre:"/\x2Flogo\.gif\x3F[0-9a-f]{5,7}=\d{5,7}/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fSality.AT; classtype:trojan-activity; sid:24255; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nomno variant outbound connection"; flow:to_server,established; content:"c|3D|"; content:"shell|5F|exec"; http_cookie; content:"c|3D|"; content:"shell|5F|exec"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24285; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi.Prinimalka variant outbound connection"; flow:to_server,established; http_uri; content:"/system/prinimalka.py/"; content:"user_id="; content:"version_id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/39009996a0f1c9deca07bd63c53741e7c2081820fbc8b84e0f6375b5f529fae7/analysis/; classtype:trojan-activity; sid:24361; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/reportmac.asp",nocase; http_header; content:"User-Agent: http"; http_uri; content:"anma=",nocase; content:"zhanghao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/e2636ae650252d760e15b13d80603d48081ebb664e6143fe1a257b4cd015d2c0/analysis/; classtype:trojan-activity; sid:24375; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/mn.php?ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24381; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24382; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/feed.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(cache.dyndns.info|flashcenter.info|flashrider.org|webapp.serveftp.com|web.autoflash.info|webupdate.dyndns.info|webupdate.hopto.org|web.velocitycache.com)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24406; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/counter.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(194.192.14.125|202.75.58.179|flashupdates.info|nvidiadrivers.info|nvidiasoft.info|nvidiastream.info|rendercodec.info|syncstream.info|videosync.info)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/741c49af3dbc11c14327bb7447dbade53f15cd59b17f1d359162d9ddbfdc1191/analysis/; classtype:trojan-activity; sid:24407; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chiviper outbound connection"; flow:to_server,established; http_uri; content:"d10="; content:"d11="; content:"d21="; content:"d22="; http_header; content:"User-Agent|3A| Example"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24440; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chif variant outbound connection"; flow:to_server,established; http_uri; content:"/?f=ZnRwOi8v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3d5f26b36d57268e01c60ad1fd0d6b36bd4fdc3b2e83cea231b1f9ff635a6f50/analysis; classtype:trojan-activity; sid:24482; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection"; flow:to_server,established; http_uri; content:"/cgi-bin/r.cgi",depth 14,nocase; content:"?p=",distance 0,nocase; content:"&m=",distance 0,nocase; content:"&h=",distance 32,nocase; content:"&u=",distance 0,nocase; content:"&q=",distance 0,nocase; content:"&t=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www9.dyndns-server.com:8080/pub/botnet-links.html; classtype:attempted-user; sid:24491; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/se/",nocase; isdataat:100,relative; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:24492; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/html/license_",nocase; isdataat:550,relative; pcre:"/\/html\/license_[0-9A-F]{550,}\.html$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:24493; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/images2/",nocase; isdataat:500,relative; http_uri; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:24494; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/rokfeller3.cgi?v=11"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:24495; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/shopping3.cgi?a="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:24496; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/unshopping3.cgi?b="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:24497; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/omerta/Mail/Mail1.3.php?"; content:"OS=Windows",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f7eff299783ff52a27fb25f479868eebb4e838ef8a5af0b123d316a712b522e8/analysis/; classtype:trojan-activity; sid:24504; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Lucuis variant outbound connection"; flow:to_server,established; content:"user_login.php"; content:"|8D F3 75 EA DC|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:ssl; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:24514; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 81 ( msg:"MALWARE-CNC Win.Backdoor.MautoitRAT variant outbound connection"; flow:to_server,established; content:"SISTEMA= "; content:"PASS= "; content:"COMPUTER= "; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/4245935950f1423fee4531a945634985ac15e04f5a99d5b1599449c5078ac366/analysis/; classtype:trojan-activity; sid:24523; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 406 ( msg:"MALWARE-CNC Win.Trojan.Scondatie.A outbound connection"; flow:to_server,established; content:"GET /gg.txt?qsEwvCtsuBCBB???}.html"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/0CF369DA7188B4634E8EC6F303F0F14D2D54E89B0E0EF90DF4EEAF4857875D21/analysis/; classtype:trojan-activity; sid:24531; rev:1; )
 alert tcp $EXTERNAL_NET 406 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Scondatie.A inbound connection"; flow:to_client,established; content:"<div id=|22|sina_keyword_ad_area2|22| class=|22|articalContent|22|>"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/0CF369DA7188B4634E8EC6F303F0F14D2D54E89B0E0EF90DF4EEAF4857875D21/analysis/; classtype:trojan-activity; sid:24532; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/~monducci/email.php"; http_client_body; content:"remetente"; content:"assunto=Infect"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c984c3077daffeaf19cecda6d0ca6eac5102af9dd0e9cfd93867fd22d47cac49/analysis/; classtype:trojan-activity; sid:24533; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; http_uri; content:"/envio.php"; http_client_body; content:"destinatario|3D|"; content:"|26|titulo"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24534; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Veli variant outbound connection"; flow:to_server,established; http_client_body; content:"Yuok$$"; http_header; content:"User-Agent: Asynchronous WinHTTP/1.0",nocase; http_uri; content:"logon.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/953a812f745cb3b0e5abc59c5df68dcb8e3db2ee0af8ae419480cc2c2ada27f4/analysis/; classtype:trojan-activity; sid:24563; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_uri; content:"/adduser.php?uid=",nocase; content:"&lan=",distance 0,nocase; content:"&cmpname=",distance 0,nocase; content:"&country=",distance 0,nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CE3FCBDCB255109126530E343DCAF7E6E13C3E9A2B2DD088BBF089E16E83FC0E/analysis/; classtype:trojan-activity; sid:24566; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC ACAD.Medre.A outbound connection"; flow:to_server,established; content:"To|3A| |3C|me5uqyqyg|40|163.com|3E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aALisp%2fBlemfox.A; classtype:trojan-activity; sid:23615; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Faketube update request attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| Autoit",nocase; http_uri; content:"|2F 7E|ntproduc|2F|update",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=35cc362bd4c354d0a27691a39f7d9b5a157f7dd0a0f286d99d64608ab8bc99a3-1287378453; classtype:trojan-activity; sid:19058; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Nusump.A outbound connection"; flow:to_server,established; http_uri; content:"|2F|index|2E|php|3F|",nocase; content:"|26|co|3D|",nocase; content:"|26|us|3D|",nocase; content:"|26|dt|3D|",nocase; http_header; content:!"|0A|Accept",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=42c5002aefb925a00093f764ceb41ecdea814382f94525ec7a662956dff35620-1281716324; classtype:trojan-activity; sid:19053; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC VBMania mass mailing worm activity"; flow:to_server,established; http_uri; content:"SendEmail|2E|iq"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17234; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC VBMania mass mailing worm download attempt"; flow:to_client,established; file_data; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17235; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Klovbot variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; http_client_body; content:"iName=",depth 6; content:"&STLftps=",within 128,distance 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/56517C442332FC29324078ADC310AEF075B53B33F7B0E94685A1548C3A5F1F9E/analysis/; classtype:trojan-activity; sid:24630; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Quarian outbound connection - proxy connection"; flow:to_server,established; http_method; content:"CONNECT"; http_header; content:"Proxy-Connetion|3A|"; content:"Content_length|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dce3412caecdb1c4959adb5794bbe3b69348b26b97360ef262acf5fd2c0dfa2c/analysis/; classtype:trojan-activity; sid:24858; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gnutler variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent:|20|ver:"; content:"|7C|os:"; content:"|7C|admin:"; content:"|7C|port:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/bc9ab894cf8229ab9b233d89595d962c7d226c8e72880d60d93f79fe4f7a6215/analysis/; classtype:trojan-activity; sid:24873; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"|2F|Config|2E|txt"; http_header; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dorkbot outbound connection"; flow:to_server,established; http_uri; content:".php?ip="; content:"&os=",distance 0; content:"&name=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] ( msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"JOIN #rape anal"; content:"blaze"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service ircd; reference:url,www.virustotal.com/file/ab3a73bca380bfd055d27539cb2d131c8c3554835d4056282ce3271a590b27b2/analysis/; classtype:trojan-activity; sid:25016; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/~monducci/email.php"; http_client_body; content:"remetente"; content:"assunto=Infect"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/c984c3077daffeaf19cecda6d0ca6eac5102af9dd0e9cfd93867fd22d47cac49/analysis/; classtype:trojan-activity; sid:24533; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; http_uri; content:"/envio.php"; http_client_body; content:"destinatario|3D|"; content:"|26|titulo"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24534; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Veli variant outbound connection"; flow:to_server,established; http_client_body; content:"Yuok$$"; http_header; content:"User-Agent: Asynchronous WinHTTP/1.0",nocase; http_uri; content:"logon.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/953a812f745cb3b0e5abc59c5df68dcb8e3db2ee0af8ae419480cc2c2ada27f4/analysis/; classtype:trojan-activity; sid:24563; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_uri; content:"/adduser.php?uid=",nocase; content:"&lan=",distance 0,nocase; content:"&cmpname=",distance 0,nocase; content:"&country=",distance 0,nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/CE3FCBDCB255109126530E343DCAF7E6E13C3E9A2B2DD088BBF089E16E83FC0E/analysis/; classtype:trojan-activity; sid:24566; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC ACAD.Medre.A outbound connection"; flow:to_server,established; content:"To|3A| |3C|me5uqyqyg|40|163.com|3E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aALisp%2fBlemfox.A; classtype:trojan-activity; sid:23615; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Faketube update request attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| Autoit",nocase; http_uri; content:"|2F 7E|ntproduc|2F|update",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=35cc362bd4c354d0a27691a39f7d9b5a157f7dd0a0f286d99d64608ab8bc99a3-1287378453; classtype:trojan-activity; sid:19058; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Nusump.A outbound connection"; flow:to_server,established; http_uri; content:"|2F|index|2E|php|3F|",nocase; content:"|26|co|3D|",nocase; content:"|26|us|3D|",nocase; content:"|26|dt|3D|",nocase; http_header; content:!"|0A|Accept",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=42c5002aefb925a00093f764ceb41ecdea814382f94525ec7a662956dff35620-1281716324; classtype:trojan-activity; sid:19053; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC VBMania mass mailing worm activity"; flow:to_server,established; http_uri; content:"SendEmail|2E|iq"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17234; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC VBMania mass mailing worm download attempt"; flow:to_client,established; file_data; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17235; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Klovbot variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; http_client_body; content:"iName=",depth 6; content:"&STLftps=",within 128,distance 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/56517C442332FC29324078ADC310AEF075B53B33F7B0E94685A1548C3A5F1F9E/analysis/; classtype:trojan-activity; sid:24630; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Quarian outbound connection - proxy connection"; flow:to_server,established; http_method; content:"CONNECT"; http_header; content:"Proxy-Connetion|3A|"; content:"Content_length|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/dce3412caecdb1c4959adb5794bbe3b69348b26b97360ef262acf5fd2c0dfa2c/analysis/; classtype:trojan-activity; sid:24858; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gnutler variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent:|20|ver:"; content:"|7C|os:"; content:"|7C|admin:"; content:"|7C|port:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/bc9ab894cf8229ab9b233d89595d962c7d226c8e72880d60d93f79fe4f7a6215/analysis/; classtype:trojan-activity; sid:24873; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"|2F|Config|2E|txt"; http_header; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dorkbot outbound connection"; flow:to_server,established; http_uri; content:".php?ip="; content:"&os=",distance 0; content:"&name=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] ( msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"JOIN #rape anal"; content:"blaze"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:ircd; reference:url,www.virustotal.com/file/ab3a73bca380bfd055d27539cb2d131c8c3554835d4056282ce3271a590b27b2/analysis/; classtype:trojan-activity; sid:25016; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Downloader.Recslurp variant outbound connection"; flow:to_server,established; dsize:10; content:"|20 00 05 00 00 00 06 00|",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/682386A14177AFFA24ED3C034EF34E2414ABEE6C77C369F3055BBB1C6BD9D8F8/analysis/; classtype:trojan-activity; sid:25025; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik.Kolilks outbound connection"; flow:to_server,established; http_uri; content:"/kills.txt?"; pcre:"/\x2fkills\x2etxt\x3f(t\d|p)\x3d\d{6}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/24a892d90f819cea79dfe6f8acd007bad920dbf55c1bfdaffc984cb8efa32527/analysis/; classtype:trojan-activity; sid:25049; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:"; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25054; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Injector variant outbound connection"; flow:to_server,established; http_uri; content:".php?s=",nocase; content:"g=nb.Install"; content:"m=",nocase; content:"ml=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cbcc6536ebb20f9d936d88e20a29c1c1d9a55555623bf74ee6908d9c7c7af9b9/analysis/; classtype:trojan-activity; sid:25070; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Macnsed variant outbound connection"; flow:to_server,established; content:"/gtskinfo.aspx"; content:"ver=",nocase; content:"m=",nocase; content:"p=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f32f4af269d5cfd038d7f3c421d4d725fcbd8469a7c8327845dbf03626aef0f2/analysis/; classtype:trojan-activity; sid:25071; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dulom variant outbound connection"; flow:to_server,established; http_uri; content:"/services.php"; content:"get=",nocase; content:"ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25072; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/Post|2E|Php|3F|UserName"; content:"Bank=",nocase; content:"Money=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7d70bdcf5329404920570c96e084c78d8756bff8932832a357866eb4c57555cf/analysis/; classtype:trojan-activity; sid:25074; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC WIN.Worm.Joanap variant Runtime Detection"; flow:to_server,established; content:"TO|3A| Joana |3C|",depth 11; content:"|7C|Windows ",within 72,distance 25; content:"|7C|",within 3,distance 3; content:"|7C|",within 32; pcre:"/\x3e\x0d\x0aSUBJECT\x3a (\d{1,3}\x2e){3}\d{1,3}\x7c[^\r\n]*\x7c\d{2,4}\x0d\x0a/G"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8a8f67c7794a39ab47eadc6ab43ac467478ddd231299141dc836efec374c2779/analysis/; classtype:trojan-activity; sid:25076; rev:1; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"proxy server on port |5B|"; content:"waiting for client |2E 2E 2E|",nocase; content:"Authentication begin|2E 2E 2E 2E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25093; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; http_raw_uri; bufferlen:52; http_header; content:"/s/?k="; http_uri; pcre:"/^\x2f[a-z0-9]{51}$/i"; http_header; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25224; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [110,8080] ( msg:"MALWARE-CNC Win.Trojan.Basutra variant outbound connection"; flow:to_server,established; content:"|7E 77 6F 6F 6F 6F|",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service pop3; reference:url,www.virustotal.com/file/1F8FB6C3EEEB6F17A6D08094B3154DF2C517BFB52698E72DBF8D197A201941A3/analysis/; classtype:trojan-activity; sid:25249; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Gamarue outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:12; http_uri; content:"/a/image.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25256; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Skintrim outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bin/check.php?cv="; http_header; content:"ThIs_Is_tHe_bouNdaRY_$",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast outbound connection"; flow:to_server,established; http_uri; content:"/file.aspx?file="; http_header; content:"ksp/WS"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BancosBanload outbound connection"; flow:to_server,established; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buterat outbound connection"; flow:to_server,established; http_header; content:"From|3A|"; content:"Via|3A|"; http_raw_uri; bufferlen:13; http_uri; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus outbound connection"; flow:to_server,established; http_uri; content:"/default.aspx?ver="; content:"&uid=",distance 0; http_header; content:"|3B 20|MRA|20|5.10|20|"; http_uri; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25271; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ruskill variant outbound connection"; flow:to_server,established; http_uri; content:"/rssnews.php"; http_client_body; content:"id=",nocase; content:"varname=",nocase; content:"comp=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/; classtype:trojan-activity; sid:25371; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/new/iistart.html"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b2a59c329413ac9527e78ac791f96e81113426f57027c335c1dd96ce820a115d/analysis/; classtype:trojan-activity; sid:25465; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?ptrxcz_"; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:16; http_uri; content:"/cgi-bin/sba.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/cgi-bin/op.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|",depth 9,offset 8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC SpyForms malware call home attempt"; flow:to_server,established; http_uri; content:"/evil/services/bid_register.php?BID="; pcre:"/\x2Fevil\x2Fservices\x2Fbid_register\x2Ephp\x3FBID\x3D[A-Za-z]{6}\x26IP\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x26cipher\x3D[A-Za-z]{9}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=acf30e13cbcf7eafc8475e976f7af3ec; classtype:trojan-activity; sid:16362; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sigly variant outbound connection"; flow:to_server,established; http_uri; content:"/kiss.php"; http_client_body; content:"|4D 61 CA 19 62 C9 58 BB|",depth 8; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/a24be7092e231bd309e2a5accffa0faccb9b0bdbeca3c176f2548e8f3704b616/analysis/; classtype:trojan-activity; sid:25541; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Printlove variant outbound connection"; flow:to_server,established; http_uri; content:"/ldrcfg.php"; http_client_body; content:"id=x",nocase; content:"cn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/36aefe98416471a97e36f8e9e0ba36e5588a7b83eb776c0e62cfc9d55779380f/analysis/; classtype:trojan-activity; sid:25545; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; http_uri; content:"/gateway.php"; http_client_body; content:"page=",depth 5; content:"&unm=",within 384; content:"&query=",within 128; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; classtype:trojan-activity; sid:25553; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?act="; content:"&lang=",distance 0; content:"&wmid=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25570; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?ping="; content:"&instid=",distance 0; content:"&step=",distance 0; content:"&vermini=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25571; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Virut variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:17; http_uri; content:".txt"; http_header; content:"User-Agent|3A 20|Download"; http_uri; pcre:"/\/[a-z0-9]{12}\.txt$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/A310DE3A30A3D7E5651F8BDAE6FF6995F2B91331544DF054CD89D51C8D047F87/analysis/; classtype:trojan-activity; sid:25572; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/admin/host.php"; http_client_body; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Dilavtor variant outbound connection"; flow:to_server,established; http_uri; content:"&a=aff_3556"; content:"?i=",nocase; content:"&u=",distance 0,nocase; content:"&l=",distance 0,nocase; content:"&f=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3116E49F16D0C789975DF51F1C103B3F30A60BE08FFE30D3BBC629FAC9C3AF67/analysis/; classtype:trojan-activity; sid:25600; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/insert.php"; pkt_data; content:"nome_pc=",nocase; content:"opcao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25609; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8899 ( msg:"MALWARE-CNC Win.Trojan.Daws variant outbound connection"; flow:to_server,established; http_uri; content:"/log_it.php"; content:"t=",nocase; content:"m=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9dd38d5e29d0249e04f09eb41e7163fc31395fbefc142f9031817ebb6b3014f0/analysis/; classtype:trojan-activity; sid:25625; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/dudley.php"; http_client_body; content:"remetente=",nocase; content:"destino=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e48184401b7c4f83b91079b56eec44f2f4f53311d8ac69a6380aa809458620fd/analysis/; classtype:trojan-activity; sid:25626; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound communication"; flow:to_server,established; dsize:<7; content:"|9A 02 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; http_client_body; content:"wok5VLG|2D 36|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/js/disable.js?type="; http_header; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; content:"name=",nocase; content:"so=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/339640de61e725c495c2404565ffb1afb9b89c516306bf09697ca9a058eb98d5/analysis/; classtype:trojan-activity; sid:25661; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chowspy variant outbound connection"; flow:to_server,established; http_uri; content:"/check_counter.php"; content:"pid=",nocase; content:"mac=",nocase; content:"kind=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ba3a5098f80acc4cc3fd02a8765306f724b7d41c06285e74795ba109e63d32bd/analysis/; classtype:trojan-activity; sid:25662; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rimod variant outbound connection"; flow:to_server,established; http_uri; content:"/webserver"; content:"uptime=",nocase; content:"ping=",nocase; content:"hits=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ee5e100e94f2484d896eb6f04f7541f706cc6b6e1871d4e9a75cb465ba8895f6/analysis/; classtype:trojan-activity; sid:25663; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Selasloot variant outbound connection"; flow:to_server,established; http_uri; content:"/snwd.php"; content:"tp="; content:"&tg=",within 12,distance 1; content:"&ts=Microsoft"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3026B25C0B76E9341CF894F275F5222462B799C6439A1920555D09E97B92760A/analysis/; classtype:trojan-activity; sid:25669; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; http_header; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; http_raw_uri; bufferlen:159; http_uri; pcre:"/\x2f[A-F0-9]{158}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Agent YEH outbound connection"; flow:to_server,established; http_header; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; http_uri; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/cmd.php?cmd="; content:"arq=",distance 0; content:"cmd2=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication"; flow:to_server,established; http_raw_uri; bufferlen:95<>102; http_header; content:"|29 20|Chrome|2F|"; content:!"|0A|Accept-Encoding|3A 20|"; http_uri; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logos.gif URLs"; flow:to_server,established; http_uri; content:"/logos.gif?"; pcre:"/\x2Flogos\.gif\x3F[0-9a-f]+=\x2d?\d+/i"; http_header; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/79416e894ee7040e88f9918802db4d473140d45e45d945abebe820a1841ec5ba/analysis/; classtype:trojan-activity; sid:25809; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:18; http_uri; content:"/listas/out/si.php"; pkt_data; content:"HTTP/1.0|0D 0A|",depth 10,offset 24; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie"; flow:to_server,established; http_raw_uri; bufferlen:1; http_uri; content:"|2F|"; http_header; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/i"; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; content:"|3B 20|MSIE|20|7.0|3B 20|"; content:"|2E|info|0D 0A|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC GzWaaa outbound data connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|userfile|22 3B| filename="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Boolflot variant outbound connection"; flow:to_server,established; http_uri; content:"/bot/reg.php?guid=",depth 18; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/DEDC949773B39A6CFAE20249CA90F07B222C8431CA8E652A4C1344BE49E0C655/analysis/; classtype:trojan-activity; sid:25973; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 34|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26010; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bredo variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/images.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.spyware-techie.com/malbredo-q-removal-guide; classtype:trojan-activity; sid:26019; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7; http_uri; content:"/in.php"; http_header; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:"|0A|Content-Length|3A 20|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20; http_uri; content:"/b/n/winrar/tudo.rar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Locati variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/home/index.asp?typeid="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/130411FDD36046693E5CB49BBEE9CCD628BCB4CFB1E581D03E7787D298136F73/analysis/; classtype:trojan-activity; sid:26072; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = "; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/downs/zdx.tgz"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:24439; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/about/step1.php"; http_client_body; content:"m_usr="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:26088; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik.Kolilks outbound connection"; flow:to_server,established; http_uri; content:"/kills.txt?"; pcre:"/\x2fkills\x2etxt\x3f(t\d|p)\x3d\d{6}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/24a892d90f819cea79dfe6f8acd007bad920dbf55c1bfdaffc984cb8efa32527/analysis/; classtype:trojan-activity; sid:25049; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:"; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25054; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Injector variant outbound connection"; flow:to_server,established; http_uri; content:".php?s=",nocase; content:"g=nb.Install"; content:"m=",nocase; content:"ml=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/cbcc6536ebb20f9d936d88e20a29c1c1d9a55555623bf74ee6908d9c7c7af9b9/analysis/; classtype:trojan-activity; sid:25070; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Macnsed variant outbound connection"; flow:to_server,established; content:"/gtskinfo.aspx"; content:"ver=",nocase; content:"m=",nocase; content:"p=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f32f4af269d5cfd038d7f3c421d4d725fcbd8469a7c8327845dbf03626aef0f2/analysis/; classtype:trojan-activity; sid:25071; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dulom variant outbound connection"; flow:to_server,established; http_uri; content:"/services.php"; content:"get=",nocase; content:"ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25072; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/Post|2E|Php|3F|UserName"; content:"Bank=",nocase; content:"Money=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/7d70bdcf5329404920570c96e084c78d8756bff8932832a357866eb4c57555cf/analysis/; classtype:trojan-activity; sid:25074; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC WIN.Worm.Joanap variant Runtime Detection"; flow:to_server,established; content:"TO|3A| Joana |3C|",depth 11; content:"|7C|Windows ",within 72,distance 25; content:"|7C|",within 3,distance 3; content:"|7C|",within 32; pcre:"/\x3e\x0d\x0aSUBJECT\x3a (\d{1,3}\x2e){3}\d{1,3}\x7c[^\r\n]*\x7c\d{2,4}\x0d\x0a/G"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/8a8f67c7794a39ab47eadc6ab43ac467478ddd231299141dc836efec374c2779/analysis/; classtype:trojan-activity; sid:25076; rev:1; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"proxy server on port |5B|"; content:"waiting for client |2E 2E 2E|",nocase; content:"Authentication begin|2E 2E 2E 2E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25093; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; http_raw_uri; bufferlen:52; http_header; content:"/s/?k="; http_uri; pcre:"/^\x2f[a-z0-9]{51}$/i"; http_header; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25224; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [110,8080] ( msg:"MALWARE-CNC Win.Trojan.Basutra variant outbound connection"; flow:to_server,established; content:"|7E 77 6F 6F 6F 6F|",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:pop3; reference:url,www.virustotal.com/file/1F8FB6C3EEEB6F17A6D08094B3154DF2C517BFB52698E72DBF8D197A201941A3/analysis/; classtype:trojan-activity; sid:25249; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Gamarue outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:12; http_uri; content:"/a/image.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25256; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Skintrim outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bin/check.php?cv="; http_header; content:"ThIs_Is_tHe_bouNdaRY_$",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast outbound connection"; flow:to_server,established; http_uri; content:"/file.aspx?file="; http_header; content:"ksp/WS"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BancosBanload outbound connection"; flow:to_server,established; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buterat outbound connection"; flow:to_server,established; http_header; content:"From|3A|"; content:"Via|3A|"; http_raw_uri; bufferlen:13; http_uri; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus outbound connection"; flow:to_server,established; http_uri; content:"/default.aspx?ver="; content:"&uid=",distance 0; http_header; content:"|3B 20|MRA|20|5.10|20|"; http_uri; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25271; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ruskill variant outbound connection"; flow:to_server,established; http_uri; content:"/rssnews.php"; http_client_body; content:"id=",nocase; content:"varname=",nocase; content:"comp=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/; classtype:trojan-activity; sid:25371; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/new/iistart.html"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/b2a59c329413ac9527e78ac791f96e81113426f57027c335c1dd96ce820a115d/analysis/; classtype:trojan-activity; sid:25465; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?ptrxcz_"; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:16; http_uri; content:"/cgi-bin/sba.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/cgi-bin/op.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|",depth 9,offset 8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC SpyForms malware call home attempt"; flow:to_server,established; http_uri; content:"/evil/services/bid_register.php?BID="; pcre:"/\x2Fevil\x2Fservices\x2Fbid_register\x2Ephp\x3FBID\x3D[A-Za-z]{6}\x26IP\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x26cipher\x3D[A-Za-z]{9}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatexpert.com/report.aspx?md5=acf30e13cbcf7eafc8475e976f7af3ec; classtype:trojan-activity; sid:16362; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sigly variant outbound connection"; flow:to_server,established; http_uri; content:"/kiss.php"; http_client_body; content:"|4D 61 CA 19 62 C9 58 BB|",depth 8; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/a24be7092e231bd309e2a5accffa0faccb9b0bdbeca3c176f2548e8f3704b616/analysis/; classtype:trojan-activity; sid:25541; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Printlove variant outbound connection"; flow:to_server,established; http_uri; content:"/ldrcfg.php"; http_client_body; content:"id=x",nocase; content:"cn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/36aefe98416471a97e36f8e9e0ba36e5588a7b83eb776c0e62cfc9d55779380f/analysis/; classtype:trojan-activity; sid:25545; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; http_uri; content:"/gateway.php"; http_client_body; content:"page=",depth 5; content:"&unm=",within 384; content:"&query=",within 128; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; classtype:trojan-activity; sid:25553; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?act="; content:"&lang=",distance 0; content:"&wmid=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25570; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?ping="; content:"&instid=",distance 0; content:"&step=",distance 0; content:"&vermini=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25571; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Virut variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:17; http_uri; content:".txt"; http_header; content:"User-Agent|3A 20|Download"; http_uri; pcre:"/\/[a-z0-9]{12}\.txt$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/A310DE3A30A3D7E5651F8BDAE6FF6995F2B91331544DF054CD89D51C8D047F87/analysis/; classtype:trojan-activity; sid:25572; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/admin/host.php"; http_client_body; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Dilavtor variant outbound connection"; flow:to_server,established; http_uri; content:"&a=aff_3556"; content:"?i=",nocase; content:"&u=",distance 0,nocase; content:"&l=",distance 0,nocase; content:"&f=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3116E49F16D0C789975DF51F1C103B3F30A60BE08FFE30D3BBC629FAC9C3AF67/analysis/; classtype:trojan-activity; sid:25600; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/insert.php"; pkt_data; content:"nome_pc=",nocase; content:"opcao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25609; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8899 ( msg:"MALWARE-CNC Win.Trojan.Daws variant outbound connection"; flow:to_server,established; http_uri; content:"/log_it.php"; content:"t=",nocase; content:"m=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/9dd38d5e29d0249e04f09eb41e7163fc31395fbefc142f9031817ebb6b3014f0/analysis/; classtype:trojan-activity; sid:25625; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/dudley.php"; http_client_body; content:"remetente=",nocase; content:"destino=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/e48184401b7c4f83b91079b56eec44f2f4f53311d8ac69a6380aa809458620fd/analysis/; classtype:trojan-activity; sid:25626; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound communication"; flow:to_server,established; dsize:<7; content:"|9A 02 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; http_client_body; content:"wok5VLG|2D 36|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/js/disable.js?type="; http_header; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; content:"name=",nocase; content:"so=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/339640de61e725c495c2404565ffb1afb9b89c516306bf09697ca9a058eb98d5/analysis/; classtype:trojan-activity; sid:25661; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chowspy variant outbound connection"; flow:to_server,established; http_uri; content:"/check_counter.php"; content:"pid=",nocase; content:"mac=",nocase; content:"kind=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/ba3a5098f80acc4cc3fd02a8765306f724b7d41c06285e74795ba109e63d32bd/analysis/; classtype:trojan-activity; sid:25662; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rimod variant outbound connection"; flow:to_server,established; http_uri; content:"/webserver"; content:"uptime=",nocase; content:"ping=",nocase; content:"hits=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/ee5e100e94f2484d896eb6f04f7541f706cc6b6e1871d4e9a75cb465ba8895f6/analysis/; classtype:trojan-activity; sid:25663; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Selasloot variant outbound connection"; flow:to_server,established; http_uri; content:"/snwd.php"; content:"tp="; content:"&tg=",within 12,distance 1; content:"&ts=Microsoft"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/3026B25C0B76E9341CF894F275F5222462B799C6439A1920555D09E97B92760A/analysis/; classtype:trojan-activity; sid:25669; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; http_header; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; http_raw_uri; bufferlen:159; http_uri; pcre:"/\x2f[A-F0-9]{158}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Agent YEH outbound connection"; flow:to_server,established; http_header; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; http_uri; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/cmd.php?cmd="; content:"arq=",distance 0; content:"cmd2=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication"; flow:to_server,established; http_raw_uri; bufferlen:95<>102; http_header; content:"|29 20|Chrome|2F|"; content:!"|0A|Accept-Encoding|3A 20|"; http_uri; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logos.gif URLs"; flow:to_server,established; http_uri; content:"/logos.gif?"; pcre:"/\x2Flogos\.gif\x3F[0-9a-f]+=\x2d?\d+/i"; http_header; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/79416e894ee7040e88f9918802db4d473140d45e45d945abebe820a1841ec5ba/analysis/; classtype:trojan-activity; sid:25809; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:18; http_uri; content:"/listas/out/si.php"; pkt_data; content:"HTTP/1.0|0D 0A|",depth 10,offset 24; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie"; flow:to_server,established; http_raw_uri; bufferlen:1; http_uri; content:"|2F|"; http_header; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/i"; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; content:"|3B 20|MSIE|20|7.0|3B 20|"; content:"|2E|info|0D 0A|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC GzWaaa outbound data connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|userfile|22 3B| filename="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Boolflot variant outbound connection"; flow:to_server,established; http_uri; content:"/bot/reg.php?guid=",depth 18; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/DEDC949773B39A6CFAE20249CA90F07B222C8431CA8E652A4C1344BE49E0C655/analysis/; classtype:trojan-activity; sid:25973; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 34|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26010; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bredo variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/images.php?id="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.spyware-techie.com/malbredo-q-removal-guide; classtype:trojan-activity; sid:26019; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7; http_uri; content:"/in.php"; http_header; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:"|0A|Content-Length|3A 20|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20; http_uri; content:"/b/n/winrar/tudo.rar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Locati variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/home/index.asp?typeid="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/130411FDD36046693E5CB49BBEE9CCD628BCB4CFB1E581D03E7787D298136F73/analysis/; classtype:trojan-activity; sid:26072; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = "; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/downs/zdx.tgz"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:24439; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/about/step1.php"; http_client_body; content:"m_usr="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:26088; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|01 00 00 00|",depth 4; content:"|00 00 00|Windows",within 11,distance 143; content:"MB",within 24,distance 48; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26118; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/chkupdt.asp"; http_client_body; content:"ver=",depth 4; http_header; content:!"User-Agent:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26119; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; http_client_body; content:"cstype=",depth 7; content:"&authname=",within 48,distance 1; content:"&authpass=",within 48,distance 1; content:"&hostname=",within 48,distance 1; content:"&ostype=",within 256,distance 1; content:"&macaddr=",within 64,distance 16; content:"&owner=",within 48,distance 17; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Malex variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: PCICompliant/3.33"; http_uri; content:"/process.php?xy="; content:"fGF6fDIu",within 8,distance 48; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/BB12FC4943857D8B8DF1EA67EECC60A8791257AC3BE12AE44634EE559DA91BC0/analysis/; classtype:trojan-activity; sid:26204; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/pid/pid.txt"; http_header; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 17|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26011; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Dapato banking Trojan outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:21; http_uri; content:"/pics/_vti_cnf/00.inf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Brontok Worm outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:".php?mac="; http_header; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_uri; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/nosignal.jpg?"; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26335; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/ksa.txt"; http_header; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; http_client_body; content:"op=",depth 3; content:"&nmpc="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; http_header; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; http_uri; pcre:"/\.png$/i"; http_header; content:!"User-Agent:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26480; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; http_raw_uri; bufferlen:10; http_header; content:"sousi.extasix.com|0D 0A|"; http_uri; content:"/genst.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/images/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/ccbill/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/chkupdt.asp"; http_client_body; content:"ver=",depth 4; http_header; content:!"User-Agent:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26119; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; http_client_body; content:"cstype=",depth 7; content:"&authname=",within 48,distance 1; content:"&authpass=",within 48,distance 1; content:"&hostname=",within 48,distance 1; content:"&ostype=",within 256,distance 1; content:"&macaddr=",within 64,distance 16; content:"&owner=",within 48,distance 17; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Malex variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: PCICompliant/3.33"; http_uri; content:"/process.php?xy="; content:"fGF6fDIu",within 8,distance 48; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/BB12FC4943857D8B8DF1EA67EECC60A8791257AC3BE12AE44634EE559DA91BC0/analysis/; classtype:trojan-activity; sid:26204; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/pid/pid.txt"; http_header; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 17|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26011; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Dapato banking Trojan outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:21; http_uri; content:"/pics/_vti_cnf/00.inf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Brontok Worm outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:".php?mac="; http_header; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_uri; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/nosignal.jpg?"; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26335; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/ksa.txt"; http_header; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; http_client_body; content:"op=",depth 3; content:"&nmpc="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; http_header; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; http_uri; pcre:"/\.png$/i"; http_header; content:!"User-Agent:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26480; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; http_raw_uri; bufferlen:10; http_header; content:"sousi.extasix.com|0D 0A|"; http_uri; content:"/genst.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/images/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/ccbill/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|",depth 4; content:"|7C|Windows|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26604; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|",depth 4; content:"|7C|Microsoft|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26605; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sosork variant outbound connection"; flow:to_server,established; content:"GET /3010"; content:!"Accept"; pcre:"/^GET \x2F3010[0-9A-F]{166}00000001/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/24E26943C43BBC57362EC1415114730C94DB9E356E3F4E6081453E924121BB11/analysis/; classtype:trojan-activity; sid:26606; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Korlia variant outbound connection"; flow:to_server,established; content:"|42 28 58 28|",depth 4,offset 16; content:"|6C 28 49 28 51 28|",depth 64,offset 80; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service ssl; reference:url,www.virustotal.com/de/file/6C876FA80FE56937CE3997FADBA2A377D814A8DE0D0FB208EAFB909487FE47D0/analysis/; classtype:trojan-activity; sid:26607; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rocra variant outbound connection"; flow:to_server,established; http_header; content:"Content-Length: 98|0D 0A|"; http_client_body; content:"|04 00 00 00|",depth 4; content:"A4C8293E54BE31CC89BE|BD FF 6D 16 00 00 00 00 00 00 00 00 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/1B62C8EEB834690AA11A63B45675E3C1596EA7E81ACB285019BBC479CE3C3FA9/analysis/; classtype:trojan-activity; sid:26608; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sosork variant outbound connection"; flow:to_server,established; content:"GET /3010"; content:!"Accept"; pcre:"/^GET \x2F3010[0-9A-F]{166}00000001/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/de/file/24E26943C43BBC57362EC1415114730C94DB9E356E3F4E6081453E924121BB11/analysis/; classtype:trojan-activity; sid:26606; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Korlia variant outbound connection"; flow:to_server,established; content:"|42 28 58 28|",depth 4,offset 16; content:"|6C 28 49 28 51 28|",depth 64,offset 80; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:ssl; reference:url,www.virustotal.com/de/file/6C876FA80FE56937CE3997FADBA2A377D814A8DE0D0FB208EAFB909487FE47D0/analysis/; classtype:trojan-activity; sid:26607; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rocra variant outbound connection"; flow:to_server,established; http_header; content:"Content-Length: 98|0D 0A|"; http_client_body; content:"|04 00 00 00|",depth 4; content:"A4C8293E54BE31CC89BE|BD FF 6D 16 00 00 00 00 00 00 00 00 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/de/file/1B62C8EEB834690AA11A63B45675E3C1596EA7E81ACB285019BBC479CE3C3FA9/analysis/; classtype:trojan-activity; sid:26608; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC OSX.Trojan.Dockster variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF C2 1F 96 9B 5F 03 D3 3D 43 E0 4F 8F 13 6E 76 82|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/97C8A6FFD5DAAD5822B929760C61F2A9EAAFB1CBDC1D0F895DF0E3219416BAE8/analysis/; classtype:trojan-activity; sid:26609; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Medfos Trojan outbound connection"; flow:to_server,established; http_uri; content:"/feed?req=http"; http_header; content:"|3B| MSIE "; content:!"|0D 0A|Accept-Language:"; content:!"|0D 0A|Referer:"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; http_uri; content:"hostid="; content:"|26|hostname="; content:"|26|hostip="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Shiz outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/login.php",depth 10; http_header; content:"Referer|3A| http://www.google.com"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; pkt_data; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=run",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26677; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=idl&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26678; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=upd&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26679; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rrm&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26680; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rem&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26681; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Medfos Trojan outbound connection"; flow:to_server,established; http_uri; content:"/feed?req=http"; http_header; content:"|3B| MSIE "; content:!"|0D 0A|Accept-Language:"; content:!"|0D 0A|Referer:"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; http_uri; content:"hostid="; content:"|26|hostname="; content:"|26|hostip="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Shiz outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/login.php",depth 10; http_header; content:"Referer|3A| http://www.google.com"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; pkt_data; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=run",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26677; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=idl&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26678; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=upd&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26679; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rrm&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26680; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rem&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26681; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Neshax variant outbound connection"; flow:to_server,established; content:"HORSE_ASSERT!",depth 13; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/5E57ED1ED3D180B1956787C5839F07DA509D6C68D8EA40BC3ED71C63F5003607/analysis/; classtype:trojan-activity; sid:26684; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Miniduke server contact"; flow:to_server, established; http_raw_uri; bufferlen:>45; http_header; content:"User-Agent: Mozilla/4.0"; http_uri; content:"/news/feed.php"; pcre:"/i=[a-zA-Z0-9$~]{40}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50/analysis/; classtype:trojan-activity; sid:26690; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.UFRStealer variant outbound connection"; flow:to_server,established; http_header; content:"boundary=ABCDABCDABCD"; http_uri; content:"/log/logs.php",nocase; http_client_body; content:"|0D 0A 0D 0A|UFR!"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5c097c6dddbd72976b7b1d93845a17d4ed4b5abbd2cd99e4454aa37f20683ad9/analysis/; classtype:trojan-activity; sid:26691; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Miniduke server contact"; flow:to_server, established; http_raw_uri; bufferlen:>45; http_header; content:"User-Agent: Mozilla/4.0"; http_uri; content:"/news/feed.php"; pcre:"/i=[a-zA-Z0-9$~]{40}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50/analysis/; classtype:trojan-activity; sid:26690; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.UFRStealer variant outbound connection"; flow:to_server,established; http_header; content:"boundary=ABCDABCDABCD"; http_uri; content:"/log/logs.php",nocase; http_client_body; content:"|0D 0A 0D 0A|UFR!"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/5c097c6dddbd72976b7b1d93845a17d4ed4b5abbd2cd99e4454aa37f20683ad9/analysis/; classtype:trojan-activity; sid:26691; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 250 ( msg:"MALWARE-CNC Win.Trojan.Spyremoav variant outbound connection"; flow:to_server,established; content:"<|7C|INFOS|7C|>",depth 9; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/2437060322d73f2728da4d0b9fb9c678fffdf099bc49293cb55099a2e3287362/analysis/; classtype:trojan-activity; sid:26692; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; http_uri; content:"/windows/update/search?hl="; content:"&q=",distance 0; content:"&meta=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26695; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - POST Body"; flow:to_server,established; http_uri; content:"index.php"; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; content:"--",depth 2; pcre:"/filename=\x22\d+\x22\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Upero variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; http_uri; content:"?cdata=",nocase; content:"&detail=",nocase; content:"&fold=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26703; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; http_header; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; http_uri; content:"/count.php?page=",depth 16; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/"; http_header; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|id="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_alive.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_task.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?xclve_"; pcre:"/^\x2f\x3fxclve\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:26721; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26722; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|",depth 5; pcre:"/^http\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|",depth 5; pcre:"/^stop\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|",depth 4; pcre:"/^die\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|",depth 6; pcre:"/^sleep\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|",depth 7; pcre:"/^simpel\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|",depth 10; pcre:"/^loginpost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|",depth 9; pcre:"/^datapost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|",depth 4; pcre:"/^syn\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|",depth 4; pcre:"/^udp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|",depth 8; pcre:"/^udpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|",depth 5; pcre:"/^data\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|",depth 5; pcre:"/^icmp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|",depth 8; pcre:"/^tcpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|",depth 8; pcre:"/^dataget\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|",depth 8; pcre:"/^connect\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|",depth 4; pcre:"/^dns\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|",depth 5; pcre:"/^exec\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|",depth 8; pcre:"/^resolve\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|",depth 9; pcre:"/^antiddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|",depth 6; pcre:"/^range\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|",depth 4; pcre:"/^ftp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|",depth 9; pcre:"/^download\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|",depth 9; pcre:"/^fastddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|",depth 9; pcre:"/^slowhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|",depth 8; pcre:"/^allhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|",depth 5; pcre:"/^full\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://",depth 7; content:"|7C|Mozilla/"; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26752; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Luder outbound connection"; flow:to_server,established; http_uri; content:"/loader.cpl"; pcre:"/\/loader\.cpl$/"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection POST"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"cmd=gravar&dados="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/m/IbQ"; http_header; content:!"PacketShaper"; http_uri; pcre:"/\/m\/ibq(?!c)[a-p]/ims"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26777; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC cridex encrypted POST check-in"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:".exe"; pcre:"/\x5F[A-F0-9]{16}/"; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/search.php?method=",nocase; content:"&mode=",distance 0,nocase; content:"&v=",distance 0,nocase; content:"&sox=",distance 0,nocase; http_header; content:!"User-Agent|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; http_uri; content:"/miragem/comunic.php"; http_client_body; content:"ext=",nocase; content:"cliente=",distance 0,nocase; content:"mensagem=",distance 0,nocase; content:"tipo=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; http_uri; content:"/novinha/imgjpgcnf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?uid=",fast_pattern,nocase; content:"&do=",distance 0,nocase; content:"&view=",distance 0,nocase; content:"&_lgmode=",distance 0,nocase; content:"&from=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg"; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dapato CMS spambot check-in"; flow:to_server,established; http_uri; content:"/seek.cgi?lin=",nocase; content:"&db=",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent"; flow:to_server,established; http_header; content:"User-Agent: macs 1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection"; flow:to_server,established; http_client_body; content:"/MacApp/"; pcre:"/\/MacApp\/\d{2}(-\d{2}){3}(:\d{2}){2}\.png\r\n[^\x89]+?\x89PNG/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26816; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>",depth 18; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=&p="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=Microsoft"; content:"Windows",within 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act="; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>"; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26923; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26924; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/form.php?mode="; content:"&UID=",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26930; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/links.php?mode=1"; http_header; content:!"Referer"; content:!"Cookie"; content:!"Content-Length"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26931; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_header; content:"User-Agent: Mozilla/5.0",nocase; content:"Cache-Control: no-cache",nocase; http_uri; content:"/999"; pcre:"/^\/999$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26940; rev:3; )
-alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/adminweb/news.asp?id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/jp/admin.asp"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26943; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/post_show.asp?"; content:"123456789"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26944; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Bisonal RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:".asp?id=",nocase; content:"host:",distance 0,nocase; content:"user:",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26945; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Uptime RAT beacon attempt"; flow:to_server,established; http_uri; content:".asp?id="; content:"|44 00 61 00 79|",distance 0; content:"|48 00 6F 00 75 00 72|"; content:"|4D 00 69 00 6E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26946; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] ( msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; http_uri; content:"/u_get.asp?smac="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; http_client_body; content:"destino="; content:"&user=",within 30; content:"&icerik=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26954; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; http_raw_uri; bufferlen:8; http_uri; content:"//u5.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/img/get.php?d_info="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; http_uri; content:"new/f21312a",fast_pattern; http_header; content:"baidu.com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/cfg.bin"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/gate.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:".rdata|00 00 38 58 00 00 00 F0 01 00 00 5A 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27010; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_client,established; file_data; content:"<application>"; content:"Liste de toutes les versions de Windows avec lesquelles cette application peut fonctionner",within 104; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27013; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; http_uri; content:"/windows/update/search?hl="; content:"&q=",distance 0; content:"&meta=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26695; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - POST Body"; flow:to_server,established; http_uri; content:"index.php"; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; content:"--",depth 2; pcre:"/filename=\x22\d+\x22\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Upero variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; http_uri; content:"?cdata=",nocase; content:"&detail=",nocase; content:"&fold=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26703; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; http_header; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; http_uri; content:"/count.php?page=",depth 16; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/"; http_header; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|id="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_alive.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_task.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?xclve_"; pcre:"/^\x2f\x3fxclve\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:26721; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26722; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|",depth 5; pcre:"/^http\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|",depth 5; pcre:"/^stop\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|",depth 4; pcre:"/^die\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|",depth 6; pcre:"/^sleep\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|",depth 7; pcre:"/^simpel\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|",depth 10; pcre:"/^loginpost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|",depth 9; pcre:"/^datapost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|",depth 4; pcre:"/^syn\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|",depth 4; pcre:"/^udp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|",depth 8; pcre:"/^udpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|",depth 5; pcre:"/^data\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|",depth 5; pcre:"/^icmp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|",depth 8; pcre:"/^tcpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|",depth 8; pcre:"/^dataget\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|",depth 8; pcre:"/^connect\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|",depth 4; pcre:"/^dns\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|",depth 5; pcre:"/^exec\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|",depth 8; pcre:"/^resolve\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|",depth 9; pcre:"/^antiddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|",depth 6; pcre:"/^range\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|",depth 4; pcre:"/^ftp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|",depth 9; pcre:"/^download\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|",depth 9; pcre:"/^fastddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|",depth 9; pcre:"/^slowhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|",depth 8; pcre:"/^allhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|",depth 5; pcre:"/^full\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://",depth 7; content:"|7C|Mozilla/"; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26752; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Luder outbound connection"; flow:to_server,established; http_uri; content:"/loader.cpl"; pcre:"/\/loader\.cpl$/"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection POST"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"cmd=gravar&dados="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/m/IbQ"; http_header; content:!"PacketShaper"; http_uri; pcre:"/\/m\/ibq(?!c)[a-p]/ims"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26777; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC cridex encrypted POST check-in"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:".exe"; pcre:"/\x5F[A-F0-9]{16}/"; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/search.php?method=",nocase; content:"&mode=",distance 0,nocase; content:"&v=",distance 0,nocase; content:"&sox=",distance 0,nocase; http_header; content:!"User-Agent|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; http_uri; content:"/miragem/comunic.php"; http_client_body; content:"ext=",nocase; content:"cliente=",distance 0,nocase; content:"mensagem=",distance 0,nocase; content:"tipo=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; http_uri; content:"/novinha/imgjpgcnf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?uid=",fast_pattern,nocase; content:"&do=",distance 0,nocase; content:"&view=",distance 0,nocase; content:"&_lgmode=",distance 0,nocase; content:"&from=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg"; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dapato CMS spambot check-in"; flow:to_server,established; http_uri; content:"/seek.cgi?lin=",nocase; content:"&db=",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent"; flow:to_server,established; http_header; content:"User-Agent: macs 1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection"; flow:to_server,established; http_client_body; content:"/MacApp/"; pcre:"/\/MacApp\/\d{2}(-\d{2}){3}(:\d{2}){2}\.png\r\n[^\x89]+?\x89PNG/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26816; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>",depth 18; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=&p="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=Microsoft"; content:"Windows",within 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act="; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>"; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26923; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26924; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/form.php?mode="; content:"&UID=",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26930; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/links.php?mode=1"; http_header; content:!"Referer"; content:!"Cookie"; content:!"Content-Length"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26931; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_header; content:"User-Agent: Mozilla/5.0",nocase; content:"Cache-Control: no-cache",nocase; http_uri; content:"/999"; pcre:"/^\/999$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26940; rev:3; )
+alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/adminweb/news.asp?id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/jp/admin.asp"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26943; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/post_show.asp?"; content:"123456789"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26944; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Bisonal RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:".asp?id=",nocase; content:"host:",distance 0,nocase; content:"user:",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26945; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Uptime RAT beacon attempt"; flow:to_server,established; http_uri; content:".asp?id="; content:"|44 00 61 00 79|",distance 0; content:"|48 00 6F 00 75 00 72|"; content:"|4D 00 69 00 6E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26946; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] ( msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; http_uri; content:"/u_get.asp?smac="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; http_client_body; content:"destino="; content:"&user=",within 30; content:"&icerik=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26954; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; http_raw_uri; bufferlen:8; http_uri; content:"//u5.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/img/get.php?d_info="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; http_uri; content:"new/f21312a",fast_pattern; http_header; content:"baidu.com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/cfg.bin"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/gate.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:".rdata|00 00 38 58 00 00 00 F0 01 00 00 5A 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27010; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_client,established; file_data; content:"<application>"; content:"Liste de toutes les versions de Windows avec lesquelles cette application peut fonctionner",within 104; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27013; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 4141 ( msg:"MALWARE-CNC Trojan.Netweird.A outbound communication attempt"; flow:to_server,established; content:"|41 00 00 00 03|"; dsize:69; flowbits:set,netweird; flowbits:noalert; metadata:impact_flag red; reference:url,blog.webroot.com/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/; classtype:trojan-activity; sid:27022; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 3337 ( msg:"MALWARE-CNC Win.Trojan.Dokstormac outbound connection"; flow:to_server,established; content:"QDAwMDB+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27049; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes outbound connection"; flow:to_server,established; http_client_body; content:"=qgAAAAgA"; http_uri; content:"/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.HackBack outbound connection"; flow:to_server,established; http_uri; content:"/ADMac/up.php?cname="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/uploading/id="; content:"&u=",distance 0; content:"==",distance 0; http_header; content:!"Referer"; http_uri; pcre:"/^\/uploading/id=\d+\&u=.*\=\=$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27093; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/minzhu0906/article/54726977"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; http_uri; content:"/carga1/recept.php"; http_client_body; content:"condicao=",nocase; content:"arq=",distance 0,nocase; content:"texto=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; http_header; content:"X-YouTube-Other-Cookies:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=DZZ3tTTBiTs"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=ky4M9kxUM7Y"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_header; content:"hjdullink.nl"; http_uri; content:"/images/re.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; http_uri; content:"/v12/kkrasxuparola/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0></iframe>|27 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; http_uri; content:"/blackmuscat"; pcre:"/\x2fblackmuscats?\x3f\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|",nocase; content:"|2F|r.php",within 50,fast_pattern,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:22061; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; http_uri; content:"/horde/services/javascript.php",fast_pattern; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; http_uri; content:".ru/",nocase; content:"/?",distance 0; content:"|0D 0A|",within 2,distance 1; pcre:"/\x2eru/\w+\?\d$/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23058; rev:2; )
-alert udp $HOME_NET any -> $HOME_NET 137 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|",depth 4,offset 2; content:"|20 45 4C 45 42 46 44 46 41 45 46 46 43 46 44 45 4C 46 4A 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 00 01|",depth 38,offset 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes outbound connection"; flow:to_server,established; http_client_body; content:"=qgAAAAgA"; http_uri; content:"/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.HackBack outbound connection"; flow:to_server,established; http_uri; content:"/ADMac/up.php?cname="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/uploading/id="; content:"&u=",distance 0; content:"==",distance 0; http_header; content:!"Referer"; http_uri; pcre:"/^\/uploading/id=\d+\&u=.*\=\=$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27093; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/minzhu0906/article/54726977"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; http_uri; content:"/carga1/recept.php"; http_client_body; content:"condicao=",nocase; content:"arq=",distance 0,nocase; content:"texto=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; http_header; content:"X-YouTube-Other-Cookies:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=DZZ3tTTBiTs"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=ky4M9kxUM7Y"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_header; content:"hjdullink.nl"; http_uri; content:"/images/re.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; http_uri; content:"/v12/kkrasxuparola/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0></iframe>|27 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; http_uri; content:"/blackmuscat"; pcre:"/\x2fblackmuscats?\x3f\d/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|",nocase; content:"|2F|r.php",within 50,fast_pattern,nocase; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:22061; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; http_uri; content:"/horde/services/javascript.php",fast_pattern; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; http_uri; content:".ru/",nocase; content:"/?",distance 0; content:"|0D 0A|",within 2,distance 1; pcre:"/\x2eru/\w+\?\d$/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:23058; rev:2; )
+alert udp $HOME_NET any -> $HOME_NET 137 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|",depth 4,offset 2; content:"|20 45 4C 45 42 46 44 46 41 45 46 46 43 46 44 45 4C 46 4A 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 00 01|",depth 38,offset 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 84 ( msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Downloader download"; flow:to_client,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24311; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Downloader inbound email"; flow:to_server,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24312; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24408; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24409; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24410; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24411; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24515; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b76b6c8d5378e465c91f6283b6f11fdd58916cfe02923b3a48344174c2272bc0/analysis/; classtype:trojan-activity; sid:24516; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.programurl.com/inside-website-logger.htm; classtype:successful-recon-limited; sid:12480; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Alert",distance 0,nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8357; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Activity",distance 0,nocase; content:"Logs",distance 0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8356; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection"; flow:to_server,established; content:"From|3A|",nocase; content:"SpyBuddy",distance 0,nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; metadata:service smtp; classtype:successful-recon-limited; sid:8355; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - alert notification"; flow:to_server,established; content:"This is an alert notification from SpyAgent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5882; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery"; flow:to_server,established; content:"STOR spyagent-log"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service ftp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5881; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery"; flow:to_server,established; content:"Computer IP Address|3A|",nocase; content:"Attached to this email are the activity logs that you have requested",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5880; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; http_uri; content:"/fs-bin/swat?",nocase; content:"lsnsig=",nocase; content:"offerid=",nocase; http_header; content:"Referer|3A| e2give.com",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; http_uri; content:"/fs-bin/click?",nocase; content:"id=",nocase; content:"offerid=",nocase; content:"type=",nocase; pkt_data; content:"Referer|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; http_uri; content:"/go/check?",nocase; content:"build=",nocase; content:"source=",nocase; pkt_data; content:"Host|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; http_uri; content:"PG=SPEEDBAR",nocase; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24589; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24590; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24591; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24592; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; flowbits:unset,malware.miniflame; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24600; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24601; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24602; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24603; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24604; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24605; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24606; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24607; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24609; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24610; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24611; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24612; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24613; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24614; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24615; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24616; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/08f7c373abfa4dc80b015c518834a2f441544a75ae5091f7585bedd31c0e31e2/analysis/; classtype:trojan-activity; sid:24617; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8f6c0e43bab53df013ef522c83acf0278e9c3ed248f6d10560ae57e13fc3c0a3/analysis/; classtype:trojan-activity; sid:24618; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24619; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24620; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24621; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24622; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"hendi"; content:"exec",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:24648; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"wieeeee"; content:"md5 cracker",nocase; content:"die()",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/eb8c799f47fad06026e5e454e3dc56902055c9c6c55f5f1ded4f88f53ac9076c/analysis/1350929362/; classtype:trojan-activity; sid:24727; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24799; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24800; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*km0ae9gr6m*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24883; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*qhk6sa6g1c*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24884; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*c3284d*/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:misc-activity; sid:24899; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"ngatur"; content:"filenyo"; content:"ls -la"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/1e737d034848cc7cdec9940e09fd952c9357d24d25e430027649be91867e770e/analysis/; classtype:trojan-activity; sid:24900; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25084; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25085; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25086; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25087; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25088; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25089; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25090; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25091; rev:3; )
-alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"cmd|3A 5B 2D|bindconnverb"; content:"bindconnverb command received",nocase; content:"verb |5B 2D|tran|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25092; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PERL.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"Mass Defacement"; content:"d:f:n",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25094; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"AnakDompu"; content:"Convertbytes",nocase; content:"explode",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3730e3c259cb4f727f7a803c23716ceacd640dab102ec61c3bda3974a4ef0175/analysis/; classtype:trojan-activity; sid:25095; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"post|5B 27|tac|27 5D|"; content:"login",nocase; content:"admin",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25096; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"lama|27|s|27|hell"; content:"execute",nocase; content:"htmlspecialchars",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25097; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt"; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; file_data; pkt_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; file_data; pkt_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; file_data; pkt_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt"; flow:to_client,established; http_header; content:"filename=",nocase; pkt_data; content:"FlashPlayer.jar",within 17,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*eb167039d64daa68c565052678c517a4*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:26093; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; file_data; pkt_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; http_header; content:"Server|3A| Apache"; content:"Server|3A|nginx"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26369; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1942 ( msg:"MALWARE-OTHER Possible data upload - Bitcoin Miner User Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Ufasoft bitcoin-miner"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26395; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; pkt_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26531; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26532; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; http_header; content:"/in.cgi"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; http_uri; content:"/hi.cgi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-"; file_data; pkt_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26660; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26670; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26671; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26778; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; http_uri; content:"/sms/d_m009.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2; )
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-OTHER DNS information disclosure attempt"; flow:to_server; content:"|00 00 00|",offset 2; content:"|01|",within 1; content:"|3A|",within 1,distance 6; content:"|2D 2D 2D|",within 3,distance 30,fast_pattern; content:"|3A|",within 1,distance 25; content:"|01|",within 1,distance 58; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:attempted-user; sid:26803; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26921; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/?id=##1"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26933; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_uri; content:"/?q="; content:"##1"; pcre:"/^\/\?q=[^&]*##1$/"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26934; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27050; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27051; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27055; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27056; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27059; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file upload attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27060; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER DirtJumper denial of service attack traffic"; flow:to_server,established; http_client_body; content:"login=",nocase; content:"&passwrd=",within 9,distance 2121,nocase; content:"&vb_login_md5password=",within 22,distance 235,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:attempted-dos; sid:27115; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Janicab file download attempt"; flow:to_client,established; file_data; content:"RecentNews|2E E2 80 AE|fdp.app"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.f-secure.com/weblog/archives/00002576.html; classtype:attempted-admin; sid:27228; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Cookiebomb code injection attack"; flow:to_client,established; file_data; content:"a=0|3B|z=|22|y|22 3B|try{a*=25}catch("; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27229; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27548; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27549; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--0c0896-->"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27550; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS JavaScript LOIC attack"; flow:to_server,established; http_uri; content:"/?id=",nocase; content:"&msg=",within 5,distance 13,nocase; detection_filter:track by_src, count 100, seconds 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; classtype:attempted-dos; sid:21092; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS Havij advanced SQL injection tool user-agent string"; flow:to_server, established; http_header; content:"Havij"; pcre:"/User-Agent\:[^\x0a\x0d]+?Havij/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,itsecteam.com/en/projects/project1.htm; classtype:attempted-user; sid:21459; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS slowhttptest DoS tool"; flow:to_server,established; http_header; content:"Referer|3A| http|3A 2F 2F|code.google.com|2F|p|2F|slowhttptest",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,code.google.com/p/slowhttptest/; classtype:attempted-dos; sid:21104; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Downloader download"; flow:to_client,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24311; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Downloader inbound email"; flow:to_server,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24312; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24408; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24409; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24410; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24411; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24515; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b76b6c8d5378e465c91f6283b6f11fdd58916cfe02923b3a48344174c2272bc0/analysis/; classtype:trojan-activity; sid:24516; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.programurl.com/inside-website-logger.htm; classtype:successful-recon-limited; sid:12480; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Alert",distance 0,nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8357; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Activity",distance 0,nocase; content:"Logs",distance 0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8356; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection"; flow:to_server,established; content:"From|3A|",nocase; content:"SpyBuddy",distance 0,nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; service:smtp; classtype:successful-recon-limited; sid:8355; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - alert notification"; flow:to_server,established; content:"This is an alert notification from SpyAgent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5882; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery"; flow:to_server,established; content:"STOR spyagent-log"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:ftp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5881; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery"; flow:to_server,established; content:"Computer IP Address|3A|",nocase; content:"Attached to this email are the activity logs that you have requested",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5880; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; http_uri; content:"/fs-bin/swat?",nocase; content:"lsnsig=",nocase; content:"offerid=",nocase; http_header; content:"Referer|3A| e2give.com",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; http_uri; content:"/fs-bin/click?",nocase; content:"id=",nocase; content:"offerid=",nocase; content:"type=",nocase; pkt_data; content:"Referer|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; http_uri; content:"/go/check?",nocase; content:"build=",nocase; content:"source=",nocase; pkt_data; content:"Host|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; http_uri; content:"PG=SPEEDBAR",nocase; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop; service:http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24589; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24590; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24591; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24592; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; flowbits:unset,malware.miniflame; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24600; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24601; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24602; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24603; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24604; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24605; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24606; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24607; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24609; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24610; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24611; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24612; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24613; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24614; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24615; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24616; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/08f7c373abfa4dc80b015c518834a2f441544a75ae5091f7585bedd31c0e31e2/analysis/; classtype:trojan-activity; sid:24617; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/8f6c0e43bab53df013ef522c83acf0278e9c3ed248f6d10560ae57e13fc3c0a3/analysis/; classtype:trojan-activity; sid:24618; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24619; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24620; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24621; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24622; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"hendi"; content:"exec",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:24648; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"wieeeee"; content:"md5 cracker",nocase; content:"die()",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/eb8c799f47fad06026e5e454e3dc56902055c9c6c55f5f1ded4f88f53ac9076c/analysis/1350929362/; classtype:trojan-activity; sid:24727; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24799; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24800; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*km0ae9gr6m*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24883; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*qhk6sa6g1c*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24884; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*c3284d*/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:misc-activity; sid:24899; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"ngatur"; content:"filenyo"; content:"ls -la"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/1e737d034848cc7cdec9940e09fd952c9357d24d25e430027649be91867e770e/analysis/; classtype:trojan-activity; sid:24900; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25084; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25085; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25086; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25087; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25088; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25089; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25090; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25091; rev:3; )
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"cmd|3A 5B 2D|bindconnverb"; content:"bindconnverb command received",nocase; content:"verb |5B 2D|tran|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25092; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PERL.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"Mass Defacement"; content:"d:f:n",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25094; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"AnakDompu"; content:"Convertbytes",nocase; content:"explode",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/3730e3c259cb4f727f7a803c23716ceacd640dab102ec61c3bda3974a4ef0175/analysis/; classtype:trojan-activity; sid:25095; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"post|5B 27|tac|27 5D|"; content:"login",nocase; content:"admin",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25096; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"lama|27|s|27|hell"; content:"execute",nocase; content:"htmlspecialchars",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25097; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt"; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; file_data; pkt_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; file_data; pkt_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; file_data; pkt_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt"; flow:to_client,established; http_header; content:"filename=",nocase; pkt_data; content:"FlashPlayer.jar",within 17,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*eb167039d64daa68c565052678c517a4*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:misc-activity; sid:26093; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; file_data; pkt_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; http_header; content:"Server|3A| Apache"; content:"Server|3A|nginx"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26369; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1942 ( msg:"MALWARE-OTHER Possible data upload - Bitcoin Miner User Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Ufasoft bitcoin-miner"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26395; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; pkt_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26531; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26532; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; http_header; content:"/in.cgi"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; http_uri; content:"/hi.cgi"; metadata:impact_flag red,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-"; file_data; pkt_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26660; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26670; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26671; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26778; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; http_uri; content:"/sms/d_m009.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2; )
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-OTHER DNS information disclosure attempt"; flow:to_server; content:"|00 00 00|",offset 2; content:"|01|",within 1; content:"|3A|",within 1,distance 6; content:"|2D 2D 2D|",within 3,distance 30,fast_pattern; content:"|3A|",within 1,distance 25; content:"|01|",within 1,distance 58; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:dns; classtype:attempted-user; sid:26803; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26921; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/?id=##1"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:misc-activity; sid:26933; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_uri; content:"/?q="; content:"##1"; pcre:"/^\/\?q=[^&]*##1$/"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; classtype:misc-activity; sid:26934; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27050; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27051; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27055; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27056; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27059; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file upload attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27060; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER DirtJumper denial of service attack traffic"; flow:to_server,established; http_client_body; content:"login=",nocase; content:"&passwrd=",within 9,distance 2121,nocase; content:"&vb_login_md5password=",within 22,distance 235,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:attempted-dos; sid:27115; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Janicab file download attempt"; flow:to_client,established; file_data; content:"RecentNews|2E E2 80 AE|fdp.app"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.f-secure.com/weblog/archives/00002576.html; classtype:attempted-admin; sid:27228; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Cookiebomb code injection attack"; flow:to_client,established; file_data; content:"a=0|3B|z=|22|y|22 3B|try{a*=25}catch("; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27229; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27548; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27549; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--0c0896-->"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27550; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS JavaScript LOIC attack"; flow:to_server,established; http_uri; content:"/?id=",nocase; content:"&msg=",within 5,distance 13,nocase; detection_filter:track by_src, count 100, seconds 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; classtype:attempted-dos; sid:21092; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS Havij advanced SQL injection tool user-agent string"; flow:to_server, established; http_header; content:"Havij"; pcre:"/User-Agent\:[^\x0a\x0d]+?Havij/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,itsecteam.com/en/projects/project1.htm; classtype:attempted-user; sid:21459; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS slowhttptest DoS tool"; flow:to_server,established; http_header; content:"Referer|3A| http|3A 2F 2F|code.google.com|2F|p|2F|slowhttptest",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,code.google.com/p/slowhttptest/; classtype:attempted-dos; sid:21104; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:6; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:6; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 445 ( msg:"NETBIOS NT QUERY SECURITY DESC flowbit"; flow:to_server,established; content:"|FF|SMB|A0|",depth 5,offset 4; isdataat:66,relative; content:"|06 00|",within 2,distance 64; flowbits:set,smb.query_sec_desc; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:16538; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16754; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16755; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16756; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16757; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 ( msg:"NETBIOS NT QUERY SECURITY DESC flowbit"; flow:to_server,established; content:"|FF|SMB|A0|",depth 5,offset 4; isdataat:66,relative; content:"|06 00|",within 2,distance 64; flowbits:set,smb.query_sec_desc; flowbits:noalert; service:netbios-ssn; classtype:misc-activity; sid:16538; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; service:netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16754; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; service:netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16755; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; service:netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16756; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; flow:established,to_server; content:"|00|",depth 1; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; service:netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16757; rev:3; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16758; rev:3; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|",within 17,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16759; rev:3; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16760; rev:3; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|A2|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|",within 33,distance 51,nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16761; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|",depth 1; content:"|FF|SMB/",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16763; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|",depth 1; content:"|FF|SMB/",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16765; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS Juniper NeoterisSetupService named pipe access attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2|",depth 5,offset 4; content:"|5C|NeoterisSetupService",within 21,distance 78,fast_pattern,nocase; flowbits:set,smb.neoteris; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-4643; classtype:protocol-command-decode; sid:19816; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS Juniper Odyssey Access Client DSSETUPSERVICE_CMD_UNINSTALL overflow attempt"; flow:established,to_server; flowbits:isset,smb.neoteris; content:"|FF|SMB|2F|",depth 5,offset 4; content:"|03 00 00 00|",within 4,distance 62; isdataat:228,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2009-4643; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=850; classtype:attempted-admin; sid:19817; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|",depth 1; content:"|FF|SMB/",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16763; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|",depth 1; content:"|FF|SMB/",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16765; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS Juniper NeoterisSetupService named pipe access attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2|",depth 5,offset 4; content:"|5C|NeoterisSetupService",within 21,distance 78,fast_pattern,nocase; flowbits:set,smb.neoteris; flowbits:noalert; service:netbios-ssn; reference:cve,2009-4643; classtype:protocol-command-decode; sid:19816; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS Juniper Odyssey Access Client DSSETUPSERVICE_CMD_UNINSTALL overflow attempt"; flow:established,to_server; flowbits:isset,smb.neoteris; content:"|FF|SMB|2F|",depth 5,offset 4; content:"|03 00 00 00|",within 4,distance 62; isdataat:228,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2009-4643; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=850; classtype:attempted-admin; sid:19817; rev:1; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"OS-LINUX Linux Kernel NFSD Subsystem overflow attempt"; flow:to_server; content:"|00 00 00 22|"; content:"|00 00 00 01 00 00 10 00 00 00 03|D|00 00 00 1A|",within 16,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31133; reference:cve,2008-3915; classtype:attempted-dos; sid:16352; rev:2; )
 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-LINUX Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt"; ip_proto:132; content:"|C0 00|",depth 2,offset 12; byte_test:2,>,500,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,33113; reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Gmaster device information send"; flow:to_server,established; http_client_body; content:"uid=",nocase; content:"imei=",nocase; content:"simNum=",nocase; content:"telNum=",nocase; content:"imsi=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99&tabid=2; classtype:trojan-activity; sid:26026; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"lpn=",nocase; content:"vd=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26938; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage variant"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"referrer=",nocase; content:"pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26939; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.ZertSecurity apk download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|c|00|e|00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|.|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|.|00|z|00|e|00|r|00|t"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26795; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake APK file download"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"n|00|g|00|j|00|v|00|n|00|p|00|s|00|l|00|n|00|p|00|.|00|i|00|p|00|l|00|h|00|m|00|k"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/f2648dc7bc964dc7690c60575ad526ba5b23a0f09312fd7ebf4fa65a379919ca/analysis/; classtype:trojan-activity; sid:26783; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26273; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26272; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26247; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26246; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android SMSZombie APK file download"; flow:to_client,established; file_data; content:"assets/a33.jpg"; flowbits:set,file.smszombie; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23969; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android SMSZombie APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; flowbits:isset,file.smszombie; file_data; content:"b|00|a|00|o|00|x|00|i|00|a|00|n|00|_|00|z|00|h|00|u|00|s|00|h|00|o|00|u"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23954; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake device information disclosure attempt"; flow:to_server,established; http_uri; content:"/q.php",nocase; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1."; http_client_body; content:"log",depth 3,nocase; content:"Executing",distance 0,nocase; content:"sendSMS",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26827; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake credential theft attempt"; flow:to_server,established; http_uri; content:"/login.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"user_id=",nocase; content:"&password=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26826; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakedoc device information leakage"; flow:to_server, established; http_uri; content:"&locale_source_term_network_sim="; content:"network=",nocase; content:"&did=",nocase; content:"&model=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/85c4f3066b76671aab7148b98766e6b904c83cd0920187ec4bbd5af8c9e9c970/analysis/; classtype:trojan-activity; sid:26768; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1.4)|0D 0A|"; http_client_body; content:"imei=",nocase; content:"imsi=",nocase; content:"msisdn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26761; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik/"; http_uri; content:"imei=",nocase; content:"imsi=",nocase; content:"phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26760; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Ewalls device information exfiltration"; flow:to_server, established; http_client_body; content:"uniquely_code="; content:"imsi_mcc",nocase; content:"build_model",nocase; content:"line1_number",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/1318b052ac129baf53b004e2e4a7002f4bf8654c1dd9381c4cbf7a535b5c5106/analysis/; classtype:trojan-activity; sid:26705; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Antammi device information exfiltration"; flow:to_server,established; http_client_body; content:"network_mcc"; content:"imsi=",nocase; content:"phone_number=",nocase; content:"sim_id=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/10e2d89226c48d0d9fc08168cc5e508cd9afc6d08c262e70f02b7de607ef548a/analysis/; classtype:trojan-activity; sid:26693; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Denofow phone information exfiltration"; flow:to_server,established; http_header; content:"SOAPAction: "; http_client_body; content:"</opname>",nocase; content:"</cell>",nocase; content:"</openmic>",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/fc0417fd719f457f172a5c3fbb8fc155a04f2376b2ca4155395e01a028908038/analysis/; classtype:trojan-activity; sid:26689; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 30125 ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: app.looking3g.com",nocase; content:"/serv?",nocase; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26443; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; http_header; content:"Host: wap.juliu.net",nocase; http_uri; content:"/control.html?",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26442; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Stels server response"; flow:to_client,established; file_data; content:"{|22|removeAllSmsFilters|22|:"; content:",|22|wait|22|:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26388; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Stels initial server contact"; flow:to_server,established; http_client_body; content:"--AaB03x",nocase; content:"Content-Disposition"; content:"botId",nocase; content:"imsi",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26387; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 ( msg:"OS-MOBILE Android Ksapp device registration"; flow:to_server,established; http_uri; content:"/kspp/do?imei="; content:"&wid=",nocase; content:"&type=&step=0",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99; classtype:trojan-activity; sid:26291; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.RootSmart outbound communication attempt"; flow:to_server,established; http_client_body; content:"c:root="; content:"/androidService/services/AndroidService"; content:"IMEI",distance 0; content:"&amp|3B|IMSI",within 9,distance 16; content:"&amp|3B|TYPE_TEL",within 18,distance 16; content:"INSTALL_TYPE",distance 0; metadata:impact_flag red,policy balanced-ips drop,service http; reference:url,www.virustotal.com/en/file/8cb40e8dce05482907ff83b39911831daf20e4a69ee63a6cff523c880eed1acf/analysis/; classtype:trojan-activity; sid:26290; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakenetflix email password upload"; flow:to_server,established; http_header; content:"Host|3A| erofolio.no-ip.biz"; http_client_body; content:"email=",nocase; content:"&pass=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99&tabid=2; classtype:trojan-activity; sid:26205; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android CruseWind imei leakage"; flow:to_server,established; http_uri; content:"/flash/test.xml?imei="; content:"&time=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99&tabid=2; classtype:trojan-activity; sid:26192; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; http_uri; content:"action=domregbycode&"; content:"channe="; content:"imsi="; content:"code="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26190; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 9888 ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"networklocale="; content:"networkname="; content:"networkcode="; content:"register?imei="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26189; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Zitmo trojan intercepted sms upload"; flow:to_server,established; http_uri; content:"/security.jsp",nocase; http_client_body; content:"f0=",nocase; content:"&b0=",nocase; content:"&pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:26114; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android KMin imei imsi leakage"; flow:to_server,established; http_uri; content:"/portal/m/c",nocase; content:".ashx?",nocase; content:"&nt2=",nocase; content:"&tp=2",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26104; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GoldDream device registration"; flow:to_server,established; http_uri; content:"/zj/RegistUid.aspx?pid=",nocase; content:"&imsi=",nocase; content:"&imei=",nocase; content:"&sim=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cs.ncsu.edu/faculty/jiang/GoldDream/; classtype:trojan-activity; sid:26102; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GoneIn60Seconds data upload"; flow:to_server,established; http_client_body; content:"data=",nocase; content:"contacts%22%3a",nocase; content:"sms%22%3a",nocase; content:"recent%22%3a",nocase; content:"url%22%3a",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26087; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker installation call out"; flow:to_server,established; http_uri; content:"/SM",nocase; content:"|3F|device_id=",nocase; content:"|26|adv_sub=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26018; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker leak of device phone number"; flow:to_server,established; http_uri; content:"notif.php?phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26017; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker server communication"; flow:to_server,established; http_client_body; content:"number=",nocase; content:"carrier=",nocase; content:"message=",nocase; content:"sdk=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26016; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Lovetrap initial connection"; flow:to_server,established; http_uri; content:"positionrecorder.asmx",nocase; content:"imsi=",nocase; content:"appid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:26015; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; content:"Accept-Language: zh-CN, en-US",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25999; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: J2ME/UCWEB7.4.0.57"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25998; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android jSMSHider initial encrypted device info send"; flow:to_server,established; http_client_body; content:"svs=",nocase; content:"sid=",nocase; content:"ssd=",nocase; content:"sta=",nocase; content:"sac=",nocase; content:"sci=",nocase; content:"sch=",nocase; content:"stp=",nocase; content:"svr=",nocase; content:"sig=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/15/security-alert-malware-found-targeting-custom-roms-jsmshider/; classtype:trojan-activity; sid:25997; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android.Trojan.Rus.SMS outbound communication attempt"; flow:established,to_server; http_client_body; content:"imei=",depth 5; content:"&time=",within 6,distance 15; content:"&os=",distance 0; content:"&imsi=",distance 0; content:"&v=",within 3,distance 15; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/664725869278f478e5a50a5e359dc6d5cf4f2a7019d0c122e2fa1e318f19636b/analysis/; classtype:trojan-activity; sid:25868; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android AngryBirdsRioUnlocker initial device info send"; flow:to_server,established; http_client_body; content:"|22|userId|22 3A 22|NOT IN USE!!!|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.geek.com/articles/mobile/google-removes-malicious-angry-birds-apps-from-android-market-20110614/; classtype:trojan-activity; sid:25864; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; content:"evasi0n.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25615; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; content:"evasi0n.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25616; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android AnserverBot initial contact"; flow:to_server,established; http_uri; content:"/jk.action?a="; content:"&key=",nocase; content:"&g1=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/AnserverBot/; classtype:trojan-activity; sid:27016; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Satfi device information leakage"; flow:to_server, established; http_uri; content:"confabcode="; content:"msisdn=",distance 0,nocase; content:"imsi=",distance 0,nocase; content:"operator=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A/analysis/; classtype:trojan-activity; sid:27031; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Walkinwat / Wandt information leakage generic"; flow:to_server, established; http_client_body; content:"SECOND_TABLE="; content:"imei=",nocase; content:"phone",nocase; http_uri; content:"wat.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/c6eb43f2b7071bbfe893fc78419286c3cb7c83ce56517bd281db5e7478caf995/analysis/; classtype:trojan-activity; sid:27032; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Vidro / EClips sms send instructions"; flow:to_client, established; file_data; content:"|22|messaging_update_interval|22|"; content:"|22|short_code|22|",nocase; content:"|22|send_sms|22|",nocase; content:"|22|messaging_intents|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27037; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Vidro / EClips device information leakage"; flow:to_server, established; http_client_body; content:"|22|messagingqueue_size|22|"; content:"|22|sim_msisdn|22|",nocase; content:"|22|device_imei|22|",nocase; content:"|22|sim_imsi|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27038; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Gmaster device information send"; flow:to_server,established; http_client_body; content:"uid=",nocase; content:"imei=",nocase; content:"simNum=",nocase; content:"telNum=",nocase; content:"imsi=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99&tabid=2; classtype:trojan-activity; sid:26026; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"lpn=",nocase; content:"vd=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26938; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage variant"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"referrer=",nocase; content:"pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26939; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.ZertSecurity apk download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|c|00|e|00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|.|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|.|00|z|00|e|00|r|00|t"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26795; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake APK file download"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"n|00|g|00|j|00|v|00|n|00|p|00|s|00|l|00|n|00|p|00|.|00|i|00|p|00|l|00|h|00|m|00|k"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/f2648dc7bc964dc7690c60575ad526ba5b23a0f09312fd7ebf4fa65a379919ca/analysis/; classtype:trojan-activity; sid:26783; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26273; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26272; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26247; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26246; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android SMSZombie APK file download"; flow:to_client,established; file_data; content:"assets/a33.jpg"; flowbits:set,file.smszombie; flowbits:noalert; service:http; service:imap, pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23969; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android SMSZombie APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; flowbits:isset,file.smszombie; file_data; content:"b|00|a|00|o|00|x|00|i|00|a|00|n|00|_|00|z|00|h|00|u|00|s|00|h|00|o|00|u"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23954; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake device information disclosure attempt"; flow:to_server,established; http_uri; content:"/q.php",nocase; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1."; http_client_body; content:"log",depth 3,nocase; content:"Executing",distance 0,nocase; content:"sendSMS",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26827; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake credential theft attempt"; flow:to_server,established; http_uri; content:"/login.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"user_id=",nocase; content:"&password=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26826; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakedoc device information leakage"; flow:to_server, established; http_uri; content:"&locale_source_term_network_sim="; content:"network=",nocase; content:"&did=",nocase; content:"&model=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/85c4f3066b76671aab7148b98766e6b904c83cd0920187ec4bbd5af8c9e9c970/analysis/; classtype:trojan-activity; sid:26768; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1.4)|0D 0A|"; http_client_body; content:"imei=",nocase; content:"imsi=",nocase; content:"msisdn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26761; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik/"; http_uri; content:"imei=",nocase; content:"imsi=",nocase; content:"phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26760; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Ewalls device information exfiltration"; flow:to_server, established; http_client_body; content:"uniquely_code="; content:"imsi_mcc",nocase; content:"build_model",nocase; content:"line1_number",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/1318b052ac129baf53b004e2e4a7002f4bf8654c1dd9381c4cbf7a535b5c5106/analysis/; classtype:trojan-activity; sid:26705; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Antammi device information exfiltration"; flow:to_server,established; http_client_body; content:"network_mcc"; content:"imsi=",nocase; content:"phone_number=",nocase; content:"sim_id=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/10e2d89226c48d0d9fc08168cc5e508cd9afc6d08c262e70f02b7de607ef548a/analysis/; classtype:trojan-activity; sid:26693; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Denofow phone information exfiltration"; flow:to_server,established; http_header; content:"SOAPAction: "; http_client_body; content:"</opname>",nocase; content:"</cell>",nocase; content:"</openmic>",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/fc0417fd719f457f172a5c3fbb8fc155a04f2376b2ca4155395e01a028908038/analysis/; classtype:trojan-activity; sid:26689; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 30125 ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: app.looking3g.com",nocase; content:"/serv?",nocase; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26443; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; http_header; content:"Host: wap.juliu.net",nocase; http_uri; content:"/control.html?",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26442; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Stels server response"; flow:to_client,established; file_data; content:"{|22|removeAllSmsFilters|22|:"; content:",|22|wait|22|:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26388; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Stels initial server contact"; flow:to_server,established; http_client_body; content:"--AaB03x",nocase; content:"Content-Disposition"; content:"botId",nocase; content:"imsi",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26387; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 ( msg:"OS-MOBILE Android Ksapp device registration"; flow:to_server,established; http_uri; content:"/kspp/do?imei="; content:"&wid=",nocase; content:"&type=&step=0",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99; classtype:trojan-activity; sid:26291; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.RootSmart outbound communication attempt"; flow:to_server,established; http_client_body; content:"c:root="; content:"/androidService/services/AndroidService"; content:"IMEI",distance 0; content:"&amp|3B|IMSI",within 9,distance 16; content:"&amp|3B|TYPE_TEL",within 18,distance 16; content:"INSTALL_TYPE",distance 0; metadata:impact_flag red,policy balanced-ips drop; service:http; reference:url,www.virustotal.com/en/file/8cb40e8dce05482907ff83b39911831daf20e4a69ee63a6cff523c880eed1acf/analysis/; classtype:trojan-activity; sid:26290; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakenetflix email password upload"; flow:to_server,established; http_header; content:"Host|3A| erofolio.no-ip.biz"; http_client_body; content:"email=",nocase; content:"&pass=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99&tabid=2; classtype:trojan-activity; sid:26205; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android CruseWind imei leakage"; flow:to_server,established; http_uri; content:"/flash/test.xml?imei="; content:"&time=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99&tabid=2; classtype:trojan-activity; sid:26192; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; http_uri; content:"action=domregbycode&"; content:"channe="; content:"imsi="; content:"code="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26190; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9888 ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"networklocale="; content:"networkname="; content:"networkcode="; content:"register?imei="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26189; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Zitmo trojan intercepted sms upload"; flow:to_server,established; http_uri; content:"/security.jsp",nocase; http_client_body; content:"f0=",nocase; content:"&b0=",nocase; content:"&pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:26114; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android KMin imei imsi leakage"; flow:to_server,established; http_uri; content:"/portal/m/c",nocase; content:".ashx?",nocase; content:"&nt2=",nocase; content:"&tp=2",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26104; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GoldDream device registration"; flow:to_server,established; http_uri; content:"/zj/RegistUid.aspx?pid=",nocase; content:"&imsi=",nocase; content:"&imei=",nocase; content:"&sim=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cs.ncsu.edu/faculty/jiang/GoldDream/; classtype:trojan-activity; sid:26102; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GoneIn60Seconds data upload"; flow:to_server,established; http_client_body; content:"data=",nocase; content:"contacts%22%3a",nocase; content:"sms%22%3a",nocase; content:"recent%22%3a",nocase; content:"url%22%3a",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26087; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker installation call out"; flow:to_server,established; http_uri; content:"/SM",nocase; content:"|3F|device_id=",nocase; content:"|26|adv_sub=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26018; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker leak of device phone number"; flow:to_server,established; http_uri; content:"notif.php?phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26017; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker server communication"; flow:to_server,established; http_client_body; content:"number=",nocase; content:"carrier=",nocase; content:"message=",nocase; content:"sdk=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26016; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Lovetrap initial connection"; flow:to_server,established; http_uri; content:"positionrecorder.asmx",nocase; content:"imsi=",nocase; content:"appid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:26015; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; content:"Accept-Language: zh-CN, en-US",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25999; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: J2ME/UCWEB7.4.0.57"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25998; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android jSMSHider initial encrypted device info send"; flow:to_server,established; http_client_body; content:"svs=",nocase; content:"sid=",nocase; content:"ssd=",nocase; content:"sta=",nocase; content:"sac=",nocase; content:"sci=",nocase; content:"sch=",nocase; content:"stp=",nocase; content:"svr=",nocase; content:"sig=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.lookout.com/blog/2011/06/15/security-alert-malware-found-targeting-custom-roms-jsmshider/; classtype:trojan-activity; sid:25997; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android.Trojan.Rus.SMS outbound communication attempt"; flow:established,to_server; http_client_body; content:"imei=",depth 5; content:"&time=",within 6,distance 15; content:"&os=",distance 0; content:"&imsi=",distance 0; content:"&v=",within 3,distance 15; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/664725869278f478e5a50a5e359dc6d5cf4f2a7019d0c122e2fa1e318f19636b/analysis/; classtype:trojan-activity; sid:25868; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android AngryBirdsRioUnlocker initial device info send"; flow:to_server,established; http_client_body; content:"|22|userId|22 3A 22|NOT IN USE!!!|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.geek.com/articles/mobile/google-removes-malicious-angry-birds-apps-from-android-market-20110614/; classtype:trojan-activity; sid:25864; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; content:"evasi0n.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25615; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; content:"evasi0n.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25616; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android AnserverBot initial contact"; flow:to_server,established; http_uri; content:"/jk.action?a="; content:"&key=",nocase; content:"&g1=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.csc.ncsu.edu/faculty/jiang/AnserverBot/; classtype:trojan-activity; sid:27016; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Satfi device information leakage"; flow:to_server, established; http_uri; content:"confabcode="; content:"msisdn=",distance 0,nocase; content:"imsi=",distance 0,nocase; content:"operator=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A/analysis/; classtype:trojan-activity; sid:27031; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Walkinwat / Wandt information leakage generic"; flow:to_server, established; http_client_body; content:"SECOND_TABLE="; content:"imei=",nocase; content:"phone",nocase; http_uri; content:"wat.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/c6eb43f2b7071bbfe893fc78419286c3cb7c83ce56517bd281db5e7478caf995/analysis/; classtype:trojan-activity; sid:27032; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Vidro / EClips sms send instructions"; flow:to_client, established; file_data; content:"|22|messaging_update_interval|22|"; content:"|22|short_code|22|",nocase; content:"|22|send_sms|22|",nocase; content:"|22|messaging_intents|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27037; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Vidro / EClips device information leakage"; flow:to_server, established; http_client_body; content:"|22|messagingqueue_size|22|"; content:"|22|sim_msisdn|22|",nocase; content:"|22|device_imei|22|",nocase; content:"|22|sim_imsi|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27038; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 7766 ( msg:"OS-MOBILE Android Spy2Mobile device information leakage"; flow:to_server, established; content:"|22|protocol_ver|22|:"; content:"|22|imei|22|:",nocase; content:"|22|version|22|:",nocase; content:"|22|packet|22|:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/35f87a74a89a6ef69a68e8387671a36e26afd2df68136feac4be6c381d049005/analysis/; classtype:trojan-activity; sid:27064; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt"; flow:to_server,established; http_uri; content:"/cp/server.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"imei",nocase; content:"sid_1",distance 0,nocase; content:"smsResults",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27094; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.FakeToken APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"OriginalDocumentID=|22|uuid:053FFFFBB1EEE0119F83A87C5C1D6A29"; content:"xmp.iid:601E7F76F132E1118DA2D9C4A1B3D877",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27095; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence APK file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"c|00|o|00|m|00|.|00|v|00|e|00|r|00|t|00|u|00|."; content:"dat.dat",nocase; content:"dat0.dat",within 200,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27097; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/receiving.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"mobile=",depth 7,nocase; content:"&revsms=",within 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27098; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/installing.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; content:"Content-Length: 18",nocase; http_client_body; content:"mobile=",depth 7,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27099; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt"; flow:to_server,established; http_uri; content:"/cp/server.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"imei",nocase; content:"sid_1",distance 0,nocase; content:"smsResults",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27094; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.FakeToken APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"OriginalDocumentID=|22|uuid:053FFFFBB1EEE0119F83A87C5C1D6A29"; content:"xmp.iid:601E7F76F132E1118DA2D9C4A1B3D877",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27095; rev:1; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence APK file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"c|00|o|00|m|00|.|00|v|00|e|00|r|00|t|00|u|00|."; content:"dat.dat",nocase; content:"dat0.dat",within 200,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27097; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/receiving.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"mobile=",depth 7,nocase; content:"&revsms=",within 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27098; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/installing.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; content:"Content-Length: 18",nocase; http_client_body; content:"mobile=",depth 7,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27099; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat device information leakage"; flow:to_server, established; content:"sr|00 13|java.util.Hashtable"; content:"PhoneNumber"; content:"SimOperator"; content:"IMEI"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27116; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat sms message leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; content:"sr|00 10|Packet.SMSPacket"; content:"person"; content:"thread_id"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27117; rev:1; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat contact list leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; content:"sr|00 0D|utils.Contact"; content:"times_contacted"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27118; rev:1; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Exploit Extra_Field APK file download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; content:"|00 00|",within 2,distance 4; byte_test:2, >, 0x7FFF, 18, relative, little; content:"classes.dex",within 11,distance 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www; classtype:trojan-activity; sid:27552; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi"; flow:to_server,established; http_uri; content:"/cgi-bin/rtpd.cgi?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1599; reference:url,seclists.org/fulldisclosure/2013/Apr/253; classtype:attempted-admin; sid:26559; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDIplus integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:"|20|EMF",within 4,distance 36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:misc-activity; sid:16679; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows AFD.SYS null write attempt"; flow:to_client,established; file_data; content:"|6A 18 50 68 AB 80 40 00 89 BD B0 FC FF FF 89 B5 B8 FC FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-046; classtype:attempted-admin; sid:18691; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|F7 CE 07 0E A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46106; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:19196; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET ArraySegment escape exploit attempt"; flow:to_client,established; file_data; content:"|00 6E 00 6E 00 6F 00 63 00 65 00 6E 00 74 00 41 00 72 00 72|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0664; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-039; classtype:attempted-user; sid:19185; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player skin decompression code execution attempt"; flow:to_client,established; file_data; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25307; reference:cve,2007-3035; classtype:attempted-user; sid:17228; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] ( msg:"OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt"; flow:to_server,established; content:"|04 00 0A 01 00 0A 01 03 02 01|d|02 01|<|01 01 00 A1 0B FF|bjectclass0|84 00 00 00 17 04 15|supportedCapabilities"; metadata:policy balanced-ips drop,policy security-ips drop,service ldap; reference:bugtraq,24796; reference:cve,2007-3028; classtype:attempted-dos; sid:15944; rev:2; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_client,established; file_data; content:"href",nocase; content:"|23 3A|//",within 500,fast_pattern; pcre:"/\<a\s+[^\>]*href\s*\x3D\s*[\x22\x27]?[^\>\x22\x27]*\x23\x3A\x2F\x2F[^\>]+\>/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:16414; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows search protocol remote command injection attempt"; flow:to_client,established; file_data; content:"src=",nocase; content:"search-ms:",within 12,nocase; pcre:"/src=(?P<q1>[\x22\x27])\s*?search-ms\x3a[^#]*?query=[^#]*?#[^(P=q1)]*?\x2f(root|select)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-075; classtype:attempted-user; sid:15116; rev:10; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_client,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:16157; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows javascript arguments keyword override rce attempt"; flow:to_client,established; file_data; content:"function arguments"; pcre:"/function arguments\s*\x28\s*\x29\s*\x7b/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1920; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-045; classtype:attempted-user; sid:15913; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows ISA Server cross-site scripting attempt"; flow:to_server,established; http_uri; content:"CookieAuth.dll",nocase; content:"GetLogonRedir",distance 0,fast_pattern,nocase; content:"formdir=",distance 0,nocase; content:"reason=",nocase; pcre:"/reason=[^\r\n\x26]+(alert|script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-user; sid:15475; rev:8; )
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CryptoAPI ASN.1 integer overflow attempt"; flow:to_client,established; content:"|55 04|"; content:"|80 80 80 03 0C|",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service ssl; reference:cve,2009-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:attempted-user; sid:16181; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows Forefront UAG URL XSS attempt"; flow:to_server, established; http_uri; content:"|2F|m|2F|default|2E|aspx",fast_pattern,nocase; content:"orig_url=",nocase; pcre:"/orig_url=[^\x26]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2734; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18074; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; file_data; content:"url|28|data|3A|font|2F|ttf|3B|"; content:"base64|2C|AAEAAAAT",within 15; content:"A2hMVFNI5UGsngAA",within 16,distance 48; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:17256; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|",nocase; content:"script",distance 0,nocase; content:"defer",distance 0,nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40725; reference:cve,2010-1885; reference:url,osvdb.org/show/osvdb/65264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-042; classtype:attempted-user; sid:16665; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS double free attempt"; flow:to_client,established; file_data; content:"|4A 10 33 C0 8B 4D FC 66 89 41 16 33 D2 8B 45 FC 66 89 50 12 8B 4D FC C7 41 0C 11 14 14 14 6A 1C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19463; rev:7; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS negative array index code execution attempt"; flow:to_client,established; file_data; content:"|45 E0 00 80 00 00 C7 45 E4 0A 00 00 00 C7 45 E8 00 00 00 00 8B F4 8D 45 DC 50 FF 15 A8 81 41 00 3B F4 E8 3A FD FF FF 89 45 F4 8B F4 FF 15 A4 81|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19462; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS multiple consoles on a single process attempt"; flow:to_client,established; file_data; content:"|50 92 40 00 E8 8E 04 00 00 83 C0 40 50 E8 F9 03 00 00 83 C4 0C 6A 01 E8 87 03 00 00 68 9C 92 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19460; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Fax Services Cover Page Editor overflow attempt"; flow:to_client,established; file_data; content:"FAXCOVER-VER005w",nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|",within 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.vupen.com/english/advisories/2010/3327; classtype:attempted-user; sid:18246; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ASF parsing memory corruption attempt"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; content:"|91 07 DC B7 B7 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; content:"|E0 7D 90 35 15 E4 CF 11 A9 17 00 80 5F 5C 44 2B|"; byte_test:2,>,0xffc6,52,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-068; classtype:attempted-user; sid:17711; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe",distance 0,nocase; content:"|2E|pdf",distance 0,nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*(\x22|\x27)[a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17467; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; content:"numcolors"; pcre:"/recolorinfo[^>]*numcolors\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9849; rev:12; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; content:"numfills"; pcre:"/recolorinfo[^>]*numfills\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9848; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9643; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|40 52 D1 86 1D 31 D0 11 A3 A4 00 A0 C9 03 48 F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9642; rev:8; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|90 08 00 33 B1 E5 CF 11 89 F4 00 A0 C9 03 49 CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9641; rev:8; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-MOBILE Android Exploit Extra_Field APK file download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; content:"|00 00|",within 2,distance 4; byte_test:2, >, 0x7FFF, 18, relative, little; content:"classes.dex",within 11,distance 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www; classtype:trojan-activity; sid:27552; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi"; flow:to_server,established; http_uri; content:"/cgi-bin/rtpd.cgi?"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1599; reference:url,seclists.org/fulldisclosure/2013/Apr/253; classtype:attempted-admin; sid:26559; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDIplus integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:"|20|EMF",within 4,distance 36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:misc-activity; sid:16679; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows AFD.SYS null write attempt"; flow:to_client,established; file_data; content:"|6A 18 50 68 AB 80 40 00 89 BD B0 FC FF FF 89 B5 B8 FC FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-046; classtype:attempted-admin; sid:18691; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|F7 CE 07 0E A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46106; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:19196; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET ArraySegment escape exploit attempt"; flow:to_client,established; file_data; content:"|00 6E 00 6E 00 6F 00 63 00 65 00 6E 00 74 00 41 00 72 00 72|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0664; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-039; classtype:attempted-user; sid:19185; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player skin decompression code execution attempt"; flow:to_client,established; file_data; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25307; reference:cve,2007-3035; classtype:attempted-user; sid:17228; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] ( msg:"OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt"; flow:to_server,established; content:"|04 00 0A 01 00 0A 01 03 02 01|d|02 01|<|01 01 00 A1 0B FF|bjectclass0|84 00 00 00 17 04 15|supportedCapabilities"; metadata:policy balanced-ips drop,policy security-ips drop; service:ldap; reference:bugtraq,24796; reference:cve,2007-3028; classtype:attempted-dos; sid:15944; rev:2; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_client,established; file_data; content:"href",nocase; content:"|23 3A|//",within 500,fast_pattern; pcre:"/\<a\s+[^\>]*href\s*\x3D\s*[\x22\x27]?[^\>\x22\x27]*\x23\x3A\x2F\x2F[^\>]+\>/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:16414; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows search protocol remote command injection attempt"; flow:to_client,established; file_data; content:"src=",nocase; content:"search-ms:",within 12,nocase; pcre:"/src=(?P<q1>[\x22\x27])\s*?search-ms\x3a[^#]*?query=[^#]*?#[^(P=q1)]*?\x2f(root|select)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-4269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-075; classtype:attempted-user; sid:15116; rev:10; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_client,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:16157; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows javascript arguments keyword override rce attempt"; flow:to_client,established; file_data; content:"function arguments"; pcre:"/function arguments\s*\x28\s*\x29\s*\x7b/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1920; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-045; classtype:attempted-user; sid:15913; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows ISA Server cross-site scripting attempt"; flow:to_server,established; http_uri; content:"CookieAuth.dll",nocase; content:"GetLogonRedir",distance 0,fast_pattern,nocase; content:"formdir=",distance 0,nocase; content:"reason=",nocase; pcre:"/reason=[^\r\n\x26]+(alert|script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-user; sid:15475; rev:8; )
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CryptoAPI ASN.1 integer overflow attempt"; flow:to_client,established; content:"|55 04|"; content:"|80 80 80 03 0C|",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:ssl; reference:cve,2009-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:attempted-user; sid:16181; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows Forefront UAG URL XSS attempt"; flow:to_server, established; http_uri; content:"|2F|m|2F|default|2E|aspx",fast_pattern,nocase; content:"orig_url=",nocase; pcre:"/orig_url=[^\x26]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-2734; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18074; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; file_data; content:"url|28|data|3A|font|2F|ttf|3B|"; content:"base64|2C|AAEAAAAT",within 15; content:"A2hMVFNI5UGsngAA",within 16,distance 48; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:17256; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|",nocase; content:"script",distance 0,nocase; content:"defer",distance 0,nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40725; reference:cve,2010-1885; reference:url,osvdb.org/show/osvdb/65264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-042; classtype:attempted-user; sid:16665; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS double free attempt"; flow:to_client,established; file_data; content:"|4A 10 33 C0 8B 4D FC 66 89 41 16 33 D2 8B 45 FC 66 89 50 12 8B 4D FC C7 41 0C 11 14 14 14 6A 1C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19463; rev:7; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS negative array index code execution attempt"; flow:to_client,established; file_data; content:"|45 E0 00 80 00 00 C7 45 E4 0A 00 00 00 C7 45 E8 00 00 00 00 8B F4 8D 45 DC 50 FF 15 A8 81 41 00 3B F4 E8 3A FD FF FF 89 45 F4 8B F4 FF 15 A4 81|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19462; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows CSRSS multiple consoles on a single process attempt"; flow:to_client,established; file_data; content:"|50 92 40 00 E8 8E 04 00 00 83 C0 40 50 E8 F9 03 00 00 83 C4 0C 6A 01 E8 87 03 00 00 68 9C 92 40|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19460; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Fax Services Cover Page Editor overflow attempt"; flow:to_client,established; file_data; content:"FAXCOVER-VER005w",nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|",within 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.vupen.com/english/advisories/2010/3327; classtype:attempted-user; sid:18246; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ASF parsing memory corruption attempt"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; content:"|91 07 DC B7 B7 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; content:"|E0 7D 90 35 15 E4 CF 11 A9 17 00 80 5F 5C 44 2B|"; byte_test:2,>,0xffc6,52,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-068; classtype:attempted-user; sid:17711; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe",distance 0,nocase; content:"|2E|pdf",distance 0,nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*(\x22|\x27)[a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17467; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; content:"numcolors"; pcre:"/recolorinfo[^>]*numcolors\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9849; rev:12; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; content:"numfills"; pcre:"/recolorinfo[^>]*numfills\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9848; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9643; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|40 52 D1 86 1D 31 D0 11 A3 A4 00 A0 C9 03 48 F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9642; rev:8; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|90 08 00 33 B1 E5 CF 11 89 F4 00 A0 C9 03 49 CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9641; rev:8; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] ( msg:"OS-WINDOWS Microsoft Windows Active Directory Crafted LDAP ModifyRequest"; flow:to_server,established; content:"0|84|",depth 2; content:"|66 84|",within 16; byte_test:4,>,0x0F0000,2; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-039; classtype:attempted-admin; sid:12069; rev:8; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] ( msg:"OS-WINDOWS Microsoft Windows Active Directory Crafted LDAP ModifyRequest"; flow:to_server,established; content:"0|83|",depth 2; content:"|66 84|",within 16; byte_test:3,>,0x0F0000,2; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-039; classtype:attempted-admin; sid:20671; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDI+ TIFF RLE compressed data buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|",distance 0; content:"P|DC 9A 86 E4 D4|7&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16327; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDI+ compressed TIFF file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|",distance 0; content:"&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7&|A1 B9|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16185; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LISTt|B4 08 00|movi00db@J|00 00 D0 F5|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:15457; rev:7; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LIST|A0 84 01 00|movi00dc|E3 02 00 00 D0 D8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:16187; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 09|",depth 8,offset 12; byte_test:4,>,65535,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:15849; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 08|",depth 8,offset 12; byte_test:4,>,65535,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:17721; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt"; flow:to_server,established; content:"0",depth 1; content:"|02|",within 20; content:"c",within 20; content:"=|23|04",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service ldap; reference:cve,2009-1138; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-018; classtype:attempted-admin; sid:15527; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"unescape|28|'"; content:"GetDetailsString|28|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:16578; rev:5; )
-alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows srvsvc NetrShareEnum netname overflow attempt"; flow:to_client,established; content:"y|06 00 00 00 00 00 00|y|06 00 00|A|00|A|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2009-0228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; classtype:protocol-command-decode; sid:15523; rev:6; )
-alert tcp any [137,139] -> $HOME_NET any ( msg:"OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_client,established; flowbits:isset,netsenum; content:"|EA 00|",depth 2,offset 60; isdataat:22; content:!"|00|",within 16,distance 6; metadata:policy balanced-ips alert,policy security-ips drop,service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,osvdb.org/show/osvdb/84601; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:24007; rev:5; )
-alert tcp $HOME_NET any -> any [137,139] ( msg:"OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_server,established; content:"|68 00|WrLehD"; pcre:"/^[oz]/Ri"; content:"|01 00|",within 2,distance 9; flowbits:set,netsenum; flowbits:noalert; metadata:service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,osvdb.org/show/osvdb/84601; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:23839; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt"; flow:to_server,established; dsize:>250; content:"|02|SMB 2"; content:"|FF|SMBr|00 00 00|",depth 8,offset 4; content:!"|00 00|",within 2,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2009-2532; reference:cve,2009-3103; reference:url,technet.microsoft.com/en-us/security/advisory/975497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-admin; sid:15930; rev:17; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|04|wpad"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:15386; rev:5; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|06|isatap"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:17731; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET framework optimizer escalation attempt"; flow:to_client,established; file_data; content:"|00|Program|00|Big|00|Misaligned|00|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3958; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-028; classtype:attempted-user; sid:18624; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18413; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18408; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDI+ TIFF RLE compressed data buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|",distance 0; content:"P|DC 9A 86 E4 D4|7&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16327; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows GDI+ compressed TIFF file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|",distance 0; content:"&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7&|A1 B9|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16185; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LISTt|B4 08 00|movi00db@J|00 00 D0 F5|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:15457; rev:7; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LIST|A0 84 01 00|movi00dc|E3 02 00 00 D0 D8|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:16187; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 09|",depth 8,offset 12; byte_test:4,>,65535,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:15849; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 08|",depth 8,offset 12; byte_test:4,>,65535,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:17721; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt"; flow:to_server,established; content:"0",depth 1; content:"|02|",within 20; content:"c",within 20; content:"=|23|04",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:ldap; reference:cve,2009-1138; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-018; classtype:attempted-admin; sid:15527; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"unescape|28|'"; content:"GetDetailsString|28|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:16578; rev:5; )
+alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows srvsvc NetrShareEnum netname overflow attempt"; flow:to_client,established; content:"y|06 00 00 00 00 00 00|y|06 00 00|A|00|A|00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2009-0228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; classtype:protocol-command-decode; sid:15523; rev:6; )
+alert tcp any [137,139] -> $HOME_NET any ( msg:"OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_client,established; flowbits:isset,netsenum; content:"|EA 00|",depth 2,offset 60; isdataat:22; content:!"|00|",within 16,distance 6; metadata:policy balanced-ips alert,policy security-ips drop; service:netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,osvdb.org/show/osvdb/84601; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:24007; rev:5; )
+alert tcp $HOME_NET any -> any [137,139] ( msg:"OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_server,established; content:"|68 00|WrLehD"; pcre:"/^[oz]/Ri"; content:"|01 00|",within 2,distance 9; flowbits:set,netsenum; flowbits:noalert; service:netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,osvdb.org/show/osvdb/84601; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:23839; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt"; flow:to_server,established; dsize:>250; content:"|02|SMB 2"; content:"|FF|SMBr|00 00 00|",depth 8,offset 4; content:!"|00 00|",within 2,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2009-2532; reference:cve,2009-3103; reference:url,technet.microsoft.com/en-us/security/advisory/975497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-admin; sid:15930; rev:17; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|04|wpad"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:15386; rev:5; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|06|isatap"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:17731; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET framework optimizer escalation attempt"; flow:to_client,established; file_data; content:"|00|Program|00|Big|00|Misaligned|00|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3958; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-028; classtype:attempted-user; sid:18624; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18413; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18408; rev:6; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 ( msg:"OS-WINDOWS Microsoft Windows Media Service stack overflow attempt"; flow:to_server, established; content:"|CE FA 0B B0|"; content:"MMS ",within 4,distance 4; pcre:"/.{20}[\x01\x02]\x00\x03\x00.*?\x5c\x00\x5c\x00/Rsm"; isdataat:128,relative; content:!"|00 00|",within 128; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0478; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-025; classtype:attempted-admin; sid:16541; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"OS-WINDOWS Microsoft Windows LSASS integer overflow attempt"; flow:to_server,established; content:"|6D 64 DE A8 E3 21 30 84 FF FF FF F9 02 01 04 63 84 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service ldap; reference:cve,2010-0820; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-068; classtype:attempted-user; sid:17249; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Search Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,564,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14649; rev:10; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search unicode Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14648; rev:8; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search unicode andx Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|",depth 1,offset 39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14652; rev:8; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14647; rev:8; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search andx Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|",depth 1,offset 39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14651; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected"; flow:to_server,established; content:"|6E 81 00 42 3B 04 82 9D B8 97 A6 30 32 2D D5 28 B7 2C DF A3 7E 2B 16 8E|"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:cve,2008-3009; reference:cve,2008-4037; reference:cve,2009-0550; reference:cve,2009-1930; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-user; sid:17723; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Search unicode Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14650; rev:9; )
-alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMB Negotiate Protocol Response overflow attempt"; flow:to_client,established; content:"|FF|SMBr",depth 5,offset 4; content:"|11|",within 1,distance 27; byte_test:4,<,32,7,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2010-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; classtype:attempted-admin; sid:16417; rev:6; )
-alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMBv1 BytesNeeded ring0 buffer overflow attempt"; flow:to_client,established; flowbits:isset,smb.query_sec_desc; flowbits:unset,smb.query_sec_desc; content:"|FF|SMB|A0 05 00 00 80|",depth 9,offset 4; isdataat:24,relative; byte_jump:1,23,relative, multiplier 2; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:cve,2010-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:16539; rev:5; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB%",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|",within 2,distance 29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|",within 16,distance 22; pcre:"/^.{28}(\x00\x1f|\x00\x20)/sR"; content:"|00 00|",within 2,distance 6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14896; rev:6; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Trans andx mailslot heap overflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|03|",within 1,distance 27; content:"|01 00 00 00|",within 4,distance 1; content:!"|00|",within 25,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7041; rev:11; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Trans mailslot heap overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB%",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|",within 1,distance 27; content:"|01 00 00 00|",within 4,distance 1; content:!"|00|",within 25,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7035; rev:11; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|04 00|",within 2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:15; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"OS-WINDOWS Microsoft Windows LSASS integer overflow attempt"; flow:to_server,established; content:"|6D 64 DE A8 E3 21 30 84 FF FF FF F9 02 01 04 63 84 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:ldap; reference:cve,2010-0820; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-068; classtype:attempted-user; sid:17249; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Search Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,564,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14649; rev:10; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search unicode Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14648; rev:8; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search unicode andx Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|",depth 1,offset 39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14652; rev:8; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14647; rev:8; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Search andx Search filename size integer underflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|",depth 1,offset 39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14651; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected"; flow:to_server,established; content:"|6E 81 00 42 3B 04 82 9D B8 97 A6 30 32 2D D5 28 B7 2C DF A3 7E 2B 16 8E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:cve,2008-3009; reference:cve,2008-4037; reference:cve,2009-0550; reference:cve,2009-1930; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-user; sid:17723; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Search unicode Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|81|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14650; rev:9; )
+alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMB Negotiate Protocol Response overflow attempt"; flow:to_client,established; content:"|FF|SMBr",depth 5,offset 4; content:"|11|",within 1,distance 27; byte_test:4,<,32,7,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2010-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; classtype:attempted-admin; sid:16417; rev:6; )
+alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMBv1 BytesNeeded ring0 buffer overflow attempt"; flow:to_client,established; flowbits:isset,smb.query_sec_desc; flowbits:unset,smb.query_sec_desc; content:"|FF|SMB|A0 05 00 00 80|",depth 9,offset 4; isdataat:24,relative; byte_jump:1,23,relative, multiplier 2; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:cve,2010-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:16539; rev:5; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB%",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|",within 2,distance 29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|",within 16,distance 22; pcre:"/^.{28}(\x00\x1f|\x00\x20)/sR"; content:"|00 00|",within 2,distance 6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14896; rev:6; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS SMB Trans andx mailslot heap overflow attempt"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%",depth 1,offset 39; byte_jump:2,0,little,relative; content:"|03|",within 1,distance 27; content:"|01 00 00 00|",within 4,distance 1; content:!"|00|",within 25,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7041; rev:11; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS SMB Trans mailslot heap overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB%",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|",within 1,distance 27; content:"|01 00 00 00|",within 4,distance 1; content:!"|00|",within 25,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7035; rev:11; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|04 00|",within 2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:15; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 135 ( msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|",depth 2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:14; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|05|",within 1; content:"|0B|",within 1,distance 1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W",within 16,distance 29; tag:session,packets 5; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:20; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|05|",within 1; content:"|0B|",within 1,distance 1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W",within 16,distance 29; tag:session,packets 5; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:20; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:13; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS SMB startup folder access"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",depth 5,offset 4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service netbios-ssn; classtype:attempted-recon; sid:2176; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"scc.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24137; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"diff.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24136; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"view.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24135; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"ann.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24134; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"QE.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24133; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"build.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24132; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"Q.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24131; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS SMB startup folder access"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",depth 5,offset 4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; classtype:attempted-recon; sid:2176; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"scc.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24137; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"diff.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24136; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"view.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24135; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"ann.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24134; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"QE.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24133; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"build.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24132; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"Q.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24131; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 2869 ( msg:"OS-WINDOWS Microsoft Windows UPnP notification type overflow attempt"; flow:to_server,established; content:"SUBSCRIBE"; pcre:"/^(UN)?SUBSCRIBE\s/smi"; pcre:"/^(NT|CallBack|SID|TimeOut)\s*\x3a\s*[^\n]{512}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,23371; reference:cve,2007-1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-019; classtype:attempted-admin; sid:10475; rev:9; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt"; flow:to_client,established; file_data; content:"AAAAAAAA|00 00 00|0stts|04 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15680; rev:6; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft .NET framework malicious XBAP attempt"; flow:to_client,established; file_data; content:"PublicKeyToken=b77a5c561934e089"; content:"System.Collections.Generic.ICollection<T>.get_Count"; content:"TryGetGlyphTypeface|00|Exception|00|WindowsBase|00|Point|00|GlyphRun|00|IList|60 31 00|",distance 0; content:"ComputeInkBoundingBox",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0162; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-034; classtype:attempted-user; sid:22090; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Malware Protection Engine file processing denial of service attempt"; flow:to_server,established; content:"|49 44 45 44 38 55 45 47 47 53 39 6F 4F 72 2F 79 6A 45 77 6D 47 4C 76 57 4A 6A 56 4B 6B 6F 6D 6E 78 6E 2F 63 44 45 63 31 50 35|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-1437; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-029; classtype:denial-of-service; sid:17306; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt"; flow:to_client,established; file_data; content:"AAAAAAAA|00 00 00|0stts|04 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15680; rev:6; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft .NET framework malicious XBAP attempt"; flow:to_client,established; file_data; content:"PublicKeyToken=b77a5c561934e089"; content:"System.Collections.Generic.ICollection<T>.get_Count"; content:"TryGetGlyphTypeface|00|Exception|00|WindowsBase|00|Point|00|GlyphRun|00|IList|60 31 00|",distance 0; content:"ComputeInkBoundingBox",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0162; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-034; classtype:attempted-user; sid:22090; rev:3; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Malware Protection Engine file processing denial of service attempt"; flow:to_server,established; content:"|49 44 45 44 38 55 45 47 47 53 39 6F 4F 72 2F 79 6A 45 77 6D 47 4C 76 57 4A 6A 56 4B 6B 6F 6D 6E 78 6E 2F 63 44 45 63 31 50 35|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-1437; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-029; classtype:denial-of-service; sid:17306; rev:5; )
 alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMB Negotiate Protocol response DoS attempt - empty SMB 2"; flow:to_client,established; dsize:4; content:"|00 00 00 9A|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16454; rev:4; )
 alert tcp $EXTERNAL_NET 445 -> $HOME_NET any ( msg:"OS-WINDOWS SMB Negotiate Protocol response DoS attempt"; flow:to_client,established; content:"|00 00 00 9A FE|SMB",depth 8; isdataat:126,relative; content:"|1E 00| LM `|1C|",within 8,distance 118; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16287; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 ( msg:"OS-WINDOWS MS-SQL convert function unicode overflow"; flow:to_server,established; content:"S|00|E|00|L|00|E|00|C|00|T|00| |00|C|00|O|00|N|00|V|00|E|00|R|00|T|00 28 00|v|00|a|00|r|00|c|00|h|00|a|00|r|00|,|00|c|00|r|00|e|00|a|00|t|00|e|00|d|00|a|00|t|00|e|00|,|00|1|00|2|00|3|00|4|00|5|00|6|00|7|00|8|00|9|00|0|00 29 00| |00|F|00|R|00|O|00|M|00| |00|s|00|y|00|s|00|u|00|s|00|e|00|r|00|s"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:16073; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS NVIDIA graphics driver nvsr named pipe buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|",depth 9,offset 4; byte_test:1,!&,128,0,relative; content:"|00 00|",within 2,distance 13; content:"|00|",within 1,distance 10; content:"|5C 00|n|00|v|00|s|00|r",within 9,distance 49; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:url,osvdb.org/show/osvdb/88745; classtype:attempted-user; sid:25369; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt"; flow:to_server, established; http_uri; content:"signurl|2E|asp",fast_pattern,nocase; content:"SignUrl=",nocase; pcre:"/SignUrl=[^\x26\s]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18076; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById",nocase; content:"setTimeout",fast_pattern,nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:17730; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt"; flow:to_client,established; file_data; content:"<|21|DOCTYPE ",nocase; content:"SYSTEM",distance 0,nocase; content:".parseError",distance 0,fast_pattern,nocase; pcre:"/<\x21DOCTYPE\s+[^>]*?SYSTEM[^>]*?>.*?\x2EparseError/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32155; reference:cve,2008-4029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-recon; sid:17572; rev:5; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|74 02 EB 19 68 00 00 01 00 0F B7 45 EC 50 68 D0 F0 42 00 E8 DA F3 FF FF 83 C4 0C EB A1 0F B7 45|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-056; classtype:attempted-user; sid:19461; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Report Viewer reflect XSS attempt"; flow:to_server,established; http_uri; content:"ReportID|3D|",nocase; content:"ControlID|3D|",nocase; content:"TimerMethod|3D|",nocase; pcre:"/TimerMethod\x3D[^\x26]*[\x3C\x28\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-067; classtype:attempted-user; sid:19681; rev:3; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_client,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3660; reference:url,osvdb.org/show/osvdb/93539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:26922; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27136; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27139; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_server,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3660; reference:url,osvdb.org/show/osvdb/93539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:27231; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER HP Universal CMDB server axis2 service upload attempt"; flow:established,to_server; http_method; content:"POST",nocase; http_uri; content:"/axis2/axis2-admin/upload"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19158; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; http_uri; content:"/axis2-admin/login"; http_client_body; content:"userName=admin",nocase; content:"password=",nocase; pkt_data; pcre:"/^(admin|axis2)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45625; reference:cve,2010-0219; classtype:default-login-attempt; sid:18985; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; http_uri; content:"/global"; content:"/marketplace"; pkt_data; content:"User-Agent|3A| Xbox Live Client/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15171; rev:5; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15170; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SOCIAL AIM GoChat URL access attempt"; flow:to_client,established; file_data; content:"aim|3A|GoChat?",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22146; reference:cve,2007-0021; reference:url,projects.info-pull.com/moab/MOAB-20-01-2007.html; classtype:misc-attack; sid:10116; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SPAM local user attempted to fill out paypal phishing form"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/logindo.php"; http_client_body; content:"partner=",nocase; content:"&login=",distance 0,nocase; content:"&user=",distance 0,nocase; content:"&pass=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:suspicious-login; sid:21637; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST",nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:18; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP multiple extension code execution attempt"; flow:established,to_server; content:"STOR",depth 4,nocase; content:".asp|3B|.",distance 0,nocase; pcre:"/^STOR[^\n]+\.asp\x3B\./smi"; metadata:policy balanced-ips drop,policy security-ips drop,service ftp; reference:cve,2009-4444; classtype:web-application-attack; sid:16357; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|"; content:"USER"; pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service ftp; reference:bugtraq,33722; reference:cve,2009-0542; classtype:attempted-admin; sid:16524; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS NVIDIA graphics driver nvsr named pipe buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|",depth 9,offset 4; byte_test:1,!&,128,0,relative; content:"|00 00|",within 2,distance 13; content:"|00|",within 1,distance 10; content:"|5C 00|n|00|v|00|s|00|r",within 9,distance 49; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:url,osvdb.org/show/osvdb/88745; classtype:attempted-user; sid:25369; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt"; flow:to_server, established; http_uri; content:"signurl|2E|asp",fast_pattern,nocase; content:"SignUrl=",nocase; pcre:"/SignUrl=[^\x26\s]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18076; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById",nocase; content:"setTimeout",fast_pattern,nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:17730; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt"; flow:to_client,established; file_data; content:"<|21|DOCTYPE ",nocase; content:"SYSTEM",distance 0,nocase; content:".parseError",distance 0,fast_pattern,nocase; pcre:"/<\x21DOCTYPE\s+[^>]*?SYSTEM[^>]*?>.*?\x2EparseError/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32155; reference:cve,2008-4029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-recon; sid:17572; rev:5; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|74 02 EB 19 68 00 00 01 00 0F B7 45 EC 50 68 D0 F0 42 00 E8 DA F3 FF FF 83 C4 0C EB A1 0F B7 45|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-056; classtype:attempted-user; sid:19461; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Report Viewer reflect XSS attempt"; flow:to_server,established; http_uri; content:"ReportID|3D|",nocase; content:"ControlID|3D|",nocase; content:"TimerMethod|3D|",nocase; pcre:"/TimerMethod\x3D[^\x26]*[\x3C\x28\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-067; classtype:attempted-user; sid:19681; rev:3; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_client,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3660; reference:url,osvdb.org/show/osvdb/93539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:26922; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27136; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27139; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_server,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3660; reference:url,osvdb.org/show/osvdb/93539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:27231; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER HP Universal CMDB server axis2 service upload attempt"; flow:established,to_server; http_method; content:"POST",nocase; http_uri; content:"/axis2/axis2-admin/upload"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19158; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; http_uri; content:"/axis2-admin/login"; http_client_body; content:"userName=admin",nocase; content:"password=",nocase; pkt_data; pcre:"/^(admin|axis2)/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45625; reference:cve,2010-0219; classtype:default-login-attempt; sid:18985; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; http_uri; content:"/global"; content:"/marketplace"; pkt_data; content:"User-Agent|3A| Xbox Live Client/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:policy-violation; sid:15171; rev:5; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:policy-violation; sid:15170; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SOCIAL AIM GoChat URL access attempt"; flow:to_client,established; file_data; content:"aim|3A|GoChat?",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22146; reference:cve,2007-0021; reference:url,projects.info-pull.com/moab/MOAB-20-01-2007.html; classtype:misc-attack; sid:10116; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SPAM local user attempted to fill out paypal phishing form"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/logindo.php"; http_client_body; content:"partner=",nocase; content:"&login=",distance 0,nocase; content:"&user=",distance 0,nocase; content:"&pass=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:suspicious-login; sid:21637; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST",nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:18; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP multiple extension code execution attempt"; flow:established,to_server; content:"STOR",depth 4,nocase; content:".asp|3B|.",distance 0,nocase; pcre:"/^STOR[^\n]+\.asp\x3B\./smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:ftp; reference:cve,2009-4444; classtype:web-application-attack; sid:16357; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|"; content:"USER"; pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:ftp; reference:bugtraq,33722; reference:cve,2009-0542; classtype:attempted-admin; sid:16524; rev:4; )
 alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:13; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:established,to_server; content:"SUBSCRIBE",nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:14; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow"; flow:established,to_server; content:"AUTHENTICATE CRAM-MD5",nocase; content:"|0A|",within 2; isdataat:364,relative; content:!"|0D 0A|",within 364; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:11004; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow"; flow:established,to_server; content:"AUTHENTICATE CRAM-MD5",nocase; content:"|0A|",within 2; isdataat:300,relative; content:!"|0D 0A|",within 300; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:15484; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:11; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:12; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE",nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:17; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:14; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 36890 ( msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 75 3D|",within 4,distance 8,fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18558; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 75 3D|",within 4,distance 8,fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18557; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 06 00 00 00|"; byte_test:1,>,2,0,relative; byte_test:1,<,5,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:17749; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP array size buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 87 88|",within 4,distance 4,fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|",distance 0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|",within 4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16706; rev:3; )
-alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP array size buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|",depth 4,offset 4; content:"|00 01 87 88|",within 4,distance 4,fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|",distance 0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|",within 4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16705; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16702; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16701; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|",within 2,distance 1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16700; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|",within 2,distance 1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16699; rev:3; )
-alert udp $EXTERNAL_NET any -> $HOME_NET [749,1024:] ( msg:"PROTOCOL-RPC portmap 2112 udp rename_principal attempt"; flow:to_server; content:"|00 00 08|@",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12188; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] ( msg:"PROTOCOL-RPC portmap 2112 tcp rename_principal attempt"; flow:to_server,established; content:"|00 00 08|@",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12187; rev:5; )
-alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 udp procedure 5 attempt"; content:"|00 05 F3 E1|",depth 4,offset 12; content:"|00 00 00 05|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13257; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13256; rev:5; )
-alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 udp procedure 4 attempt"; content:"|00 05 F3 E1|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13253; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 4 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13252; rev:5; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap 390113 udp request"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13251; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap 390113 tcp request"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13250; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 ( msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 04 93 E1 00 00 00 00|",within 8,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:13223; rev:3; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|",depth 4,offset 12; content:"|00 00 00 01 00 00 00 01|",within 8,distance 4; byte_jump:4,8,relative,align; content:"|00 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service sunrpc; classtype:misc-attack; sid:2256; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}",depth 4,offset 16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../",distance 0; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:15; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:20; )
-alert udp $EXTERNAL_NET any -> $HOME_NET [161,1118] ( msg:"PROTOCOL-SNMP Samsung printer default community string"; content:"|04 0B|s|21|a|40|m|23|n|24|p|25|c",depth 14,offset 5; metadata:policy balanced-ips drop,policy security-ips drop,service snmp; reference:url,l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; reference:url,www.kb.cert.org/vuls/id/281284; classtype:attempted-admin; sid:24814; rev:3; )
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET FreeBSD telnetd enc_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 07|",fast_pattern; isdataat:66,relative; content:!"|FF F0|",within 66; metadata:policy balanced-ips drop,policy security-ips drop,service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20812; rev:6; )
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET FreeBSD telnetd dec_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 08|",fast_pattern; isdataat:66,relative; content:!"|FF F0|",within 66; metadata:policy balanced-ips drop,policy security-ips drop,service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20813; rev:6; )
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET RuggedCom telnet initial banner"; flow:to_client,established; content:"RuggedCom"; flowbits:set,telnet.ruggedcom; flowbits:noalert; metadata:service telnet; classtype:misc-activity; sid:21939; rev:3; )
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy balanced-ips drop,policy security-ips drop,service telnet; reference:cve,2012-1803; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:3; )
-alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|",depth 2; isdataat:100,relative; content:!"|00|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:19; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.AdultAds outbound connection"; flow:to_server,established; http_uri; content:"/AdPuller/adult_mature/adult_mature.xmls"; http_header; content:"User-Agent|3A 20|Mozilla/2.0"; content:"AdTools",within 7,distance 14; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E37DAAB60FE414E8EBFA83A80BBE11877072EC09663DD5F3651FE4DDEB187A82/analysis/; classtype:trojan-activity; sid:24086; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Phono post infection download attempt"; flow:to_server,established; http_uri; content:"/playerUpdate2.exe",nocase; http_header; content:"User-Agent|3A 20|phonostar|20|Radio|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6515C764C78F1F1C1067D8C23D4F400004A292E7C3C06175D8D2DDD77A16438C/analysis/; classtype:trojan-activity; sid:23369; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Downware variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/action.php?channel=",nocase; content:"&detected_products=",distance 0,nocase; content:"&offered=",distance 0,nocase; content:"&funnel",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ae97f53b9f7dcbfa450b391d33b63eb21e4eada1325bea4083894b62d1bb15fe/analysis/; classtype:trojan-activity; sid:21924; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - stats track"; flow:to_server,established; http_uri; content:"/cgi-bin/connect.cgi?",nocase; content:"usr=",nocase; content:"url=",nocase; content:"title=CashSurfers",fast_pattern,nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:13; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; http_uri; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:14; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; http_uri; content:"/script/judge/judge.html",fast_pattern,nocase; content:"mid=",nocase; content:"type=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"cojud.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - auto update"; flow:to_server,established; http_uri; content:"/script/update.asp",fast_pattern,nocase; content:"version=",nocase; content:"ownerversion=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"dcww.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - ads popup"; flow:to_server,established; http_uri; content:"/rep/pop/pop_",nocase; content:"ad_soft_type=",nocase; content:"ad_mid=",nocase; content:"ad_type=",nocase; content:"dm_source=",nocase; http_header; content:"Host|3A|",nocase; content:"corep.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8352; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - update"; flow:to_server,established; http_uri; content:"/cgi-bin/update.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| dapupd",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; http_uri; content:"/GamesTab_realarcade.asp",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - download files"; flow:to_server,established; http_uri; content:"/cgi-bin/MirrorSearch.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| DA",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; http_uri; content:"/cgi-bin/ads9.dll?",fast_pattern,nocase; content:"HTML=",nocase; content:"DAUI=",nocase; content:"INC=",nocase; content:"DL=",nocase; content:"CX=",nocase; content:"CY=",nocase; content:"IIA=",nocase; content:"IIG=",nocase; content:"IIP=",nocase; content:"III=",nocase; content:"V=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE LiveSecurityPlatinum.A outbound connection - initial connection"; flow:to_server,established; http_uri; content:"/api/urls/?ts="; http_header; content:"User-Agent|3A 20 20 0D 0A|",nocase; http_uri; pcre:"/\/api\/urls\/\?ts=[a-z0-9]+&affid=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,siri-urz.blogspot.ca/2012/06/live-security-platinum.html; classtype:trojan-activity; sid:23863; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE 888Poker install outbound connection attempt"; flow:to_server,established; http_uri; content:"/setups/888poker/",nocase; content:"/SetupFiles/GIB/SDL/",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21934; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie auto search hijack"; flow:to_server,established; http_uri; content:"/searchcat.jsp?p=",fast_pattern,nocase; content:"appid=",nocase; content:"id=",nocase; content:"url=",nocase; content:"type=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:9; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:established,to_server; content:"SUBSCRIBE",nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:14; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow"; flow:established,to_server; content:"AUTHENTICATE CRAM-MD5",nocase; content:"|0A|",within 2; isdataat:364,relative; content:!"|0D 0A|",within 364; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:11004; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow"; flow:established,to_server; content:"AUTHENTICATE CRAM-MD5",nocase; content:"|0A|",within 2; isdataat:300,relative; content:!"|0D 0A|",within 300; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:15484; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:11; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:12; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE",nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:17; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:14; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 36890 ( msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 75 3D|",within 4,distance 8,fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18558; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 75 3D|",within 4,distance 8,fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18557; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 06 00 00 00|"; byte_test:1,>,2,0,relative; byte_test:1,<,5,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:17749; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP array size buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 87 88|",within 4,distance 4,fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|",distance 0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|",within 4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16706; rev:3; )
+alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP array size buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|",depth 4,offset 4; content:"|00 01 87 88|",within 4,distance 4,fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|",distance 0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|",within 4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16705; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16702; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop,policy security-ips drop; service:dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16701; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|",within 2,distance 1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16700; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 2049 ( msg:"PROTOCOL-RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|",depth 28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|",within 2,distance 1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16699; rev:3; )
+alert udp $EXTERNAL_NET any -> $HOME_NET [749,1024:] ( msg:"PROTOCOL-RPC portmap 2112 udp rename_principal attempt"; flow:to_server; content:"|00 00 08|@",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12188; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] ( msg:"PROTOCOL-RPC portmap 2112 tcp rename_principal attempt"; flow:to_server,established; content:"|00 00 08|@",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12187; rev:5; )
+alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 udp procedure 5 attempt"; content:"|00 05 F3 E1|",depth 4,offset 12; content:"|00 00 00 05|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13257; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13256; rev:5; )
+alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 udp procedure 4 attempt"; content:"|00 05 F3 E1|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13253; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 4 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13252; rev:5; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap 390113 udp request"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13251; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap 390113 tcp request"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13250; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 ( msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 04 93 E1 00 00 00 00|",within 8,distance 16; metadata:policy balanced-ips drop,policy security-ips drop; service:sunrpc; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:13223; rev:3; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|",depth 4,offset 12; content:"|00 00 00 01 00 00 00 01|",within 8,distance 4; byte_jump:4,8,relative,align; content:"|00 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:sunrpc; classtype:misc-attack; sid:2256; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}",depth 4,offset 16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../",distance 0; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:15; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:20; )
+alert udp $EXTERNAL_NET any -> $HOME_NET [161,1118] ( msg:"PROTOCOL-SNMP Samsung printer default community string"; content:"|04 0B|s|21|a|40|m|23|n|24|p|25|c",depth 14,offset 5; metadata:policy balanced-ips drop,policy security-ips drop; service:snmp; reference:url,l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; reference:url,www.kb.cert.org/vuls/id/281284; classtype:attempted-admin; sid:24814; rev:3; )
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET FreeBSD telnetd enc_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 07|",fast_pattern; isdataat:66,relative; content:!"|FF F0|",within 66; metadata:policy balanced-ips drop,policy security-ips drop; service:telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20812; rev:6; )
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET FreeBSD telnetd dec_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 08|",fast_pattern; isdataat:66,relative; content:!"|FF F0|",within 66; metadata:policy balanced-ips drop,policy security-ips drop; service:telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20813; rev:6; )
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET RuggedCom telnet initial banner"; flow:to_client,established; content:"RuggedCom"; flowbits:set,telnet.ruggedcom; flowbits:noalert; service:telnet; classtype:misc-activity; sid:21939; rev:3; )
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy balanced-ips drop,policy security-ips drop; service:telnet; reference:cve,2012-1803; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:3; )
+alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|",depth 2; isdataat:100,relative; content:!"|00|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:19; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.AdultAds outbound connection"; flow:to_server,established; http_uri; content:"/AdPuller/adult_mature/adult_mature.xmls"; http_header; content:"User-Agent|3A 20|Mozilla/2.0"; content:"AdTools",within 7,distance 14; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/E37DAAB60FE414E8EBFA83A80BBE11877072EC09663DD5F3651FE4DDEB187A82/analysis/; classtype:trojan-activity; sid:24086; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Phono post infection download attempt"; flow:to_server,established; http_uri; content:"/playerUpdate2.exe",nocase; http_header; content:"User-Agent|3A 20|phonostar|20|Radio|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6515C764C78F1F1C1067D8C23D4F400004A292E7C3C06175D8D2DDD77A16438C/analysis/; classtype:trojan-activity; sid:23369; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Downware variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/action.php?channel=",nocase; content:"&detected_products=",distance 0,nocase; content:"&offered=",distance 0,nocase; content:"&funnel",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/ae97f53b9f7dcbfa450b391d33b63eb21e4eada1325bea4083894b62d1bb15fe/analysis/; classtype:trojan-activity; sid:21924; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - stats track"; flow:to_server,established; http_uri; content:"/cgi-bin/connect.cgi?",nocase; content:"usr=",nocase; content:"url=",nocase; content:"title=CashSurfers",fast_pattern,nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:13; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; http_uri; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:14; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; http_uri; content:"/script/judge/judge.html",fast_pattern,nocase; content:"mid=",nocase; content:"type=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"cojud.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - auto update"; flow:to_server,established; http_uri; content:"/script/update.asp",fast_pattern,nocase; content:"version=",nocase; content:"ownerversion=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"dcww.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - ads popup"; flow:to_server,established; http_uri; content:"/rep/pop/pop_",nocase; content:"ad_soft_type=",nocase; content:"ad_mid=",nocase; content:"ad_type=",nocase; content:"dm_source=",nocase; http_header; content:"Host|3A|",nocase; content:"corep.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8352; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - update"; flow:to_server,established; http_uri; content:"/cgi-bin/update.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| dapupd",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; http_uri; content:"/GamesTab_realarcade.asp",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - download files"; flow:to_server,established; http_uri; content:"/cgi-bin/MirrorSearch.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| DA",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; http_uri; content:"/cgi-bin/ads9.dll?",fast_pattern,nocase; content:"HTML=",nocase; content:"DAUI=",nocase; content:"INC=",nocase; content:"DL=",nocase; content:"CX=",nocase; content:"CY=",nocase; content:"IIA=",nocase; content:"IIG=",nocase; content:"IIP=",nocase; content:"III=",nocase; content:"V=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE LiveSecurityPlatinum.A outbound connection - initial connection"; flow:to_server,established; http_uri; content:"/api/urls/?ts="; http_header; content:"User-Agent|3A 20 20 0D 0A|",nocase; http_uri; pcre:"/\/api\/urls\/\?ts=[a-z0-9]+&affid=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,siri-urz.blogspot.ca/2012/06/live-security-platinum.html; classtype:trojan-activity; sid:23863; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE 888Poker install outbound connection attempt"; flow:to_server,established; http_uri; content:"/setups/888poker/",nocase; content:"/SetupFiles/GIB/SDL/",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:21934; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie auto search hijack"; flow:to_server,established; http_uri; content:"/searchcat.jsp?p=",fast_pattern,nocase; content:"appid=",nocase; content:"id=",nocase; content:"url=",nocase; content:"type=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:9; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PUA-ADWARE Snoopware xpress remote outbound connection - init connection"; flow:to_client,established; content:"|01 00 01 00 03 00 01 00 14 00 01 01 01 00 DD DD DD DD 00 00 00 00|",depth 22; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XpressRemote&threatid=29388; classtype:successful-recon-limited; sid:13764; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; http_uri; content:"/related_bottom_v2.php",fast_pattern,nocase; content:"key=",nocase; content:"No="; pkt_data; content:"Host|3A|",nocase; content:"related.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; http_uri; content:"/go3.php",nocase; content:"key=",nocase; content:"NO=",nocase; content:"PID=",nocase; content:"UN=",nocase; pkt_data; content:"Host|3A|",nocase; content:"www.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - third party information collection"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - pass information to its controlling server"; flow:to_server,established; http_uri; content:"/r.php?",nocase; content:"apid=",nocase; content:"ldid=",nocase; content:"tpid=",nocase; content:"ttid=",nocase; content:"uid=",nocase; content:"st=",nocase; content:"cdurl=",nocase; content:"srurl=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5937; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; http_uri; content:"/sidesearch.htm",nocase; pkt_data; content:"Host|3A| sidesearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi",nocase; content:"source=lifestyle",nocase; content:"query=",distance 0,nocase; content:"select=",distance 0,nocase; content:"Host|3A| desksearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"tbid=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"source=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - collect information"; flow:to_server,established; http_uri; content:"/dat/bgf/trpix.gif?",nocase; content:"rdm=",nocase; content:"dlv=",nocase; content:"dmn=",nocase; http_header; content:"Referer|3A| ",nocase; content:"search2.ad.shopnav.com/9899/search/results.php",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5889; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie search assistant hijack"; flow:to_server,established; http_uri; content:"/9899/search/results.php?",fast_pattern,nocase; content:"source=",nocase; content:"pa=",nocase; content:"keywords=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Other-Technologies saria 1.0 outbound connection - send user information"; flow:to_server,established; http_uri; content:"op=",nocase; content:"vic=",nocase; content:"ip=",nocase; content:"port=",fast_pattern,nocase; content:"pass=",nocase; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID=",nocase; content:"CustomerID=",nocase; content:"stealth=",nocase; content:"InstallerLocation="; content:"LastPrefs=",nocase; content:"AgentVersion=",nocase; content:"CTG=",nocase; content:"WSS_GW=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; http_uri; content:"/files",nocase; content:"|29|.|28|t|29|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=37fa737aab25dd0d90cd0821538fae15; classtype:trojan-activity; sid:16498; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE FakeAV landing page request"; flow:to_server,established; http_uri; content:"/payform/?k="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,urlquery.net/report.php?id=91654; classtype:trojan-activity; sid:23472; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer outbound connection - post install"; flow:to_server,established; http_uri; content:"/download/Wajam_5402.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23247; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer url outbound connection - post install"; flow:to_server,established; http_uri; content:"php?v="; content:"&unique_id=",distance 0; content:"&aid=",distance 0; content:"&r=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23246; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE OnlineGames download attempt"; flow:to_server,established; http_uri; content:"/nbok01/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=6f489b3bd2ccbbf4ff8ad0c744f7be34; classtype:trojan-activity; sid:16365; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Cutwail spambot server communication attempt"; flow:to_server,established; http_uri; content:"spm/page.php?"; content:"id=",nocase; content:"tick=",nocase; content:"ver=",nocase; content:"smtp=",nocase; content:"task=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=0ecab7ac6e393be442cd834f9573622b; classtype:trojan-activity; sid:16494; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Martuz HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/martuz.cn",nocase; pkt_data; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Gumblar HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/gumblar.cn",nocase; pkt_data; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:7; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; http_uri; content:"/frameset3.asp",fast_pattern,nocase; content:"MID=",nocase; content:"ruleID=",nocase; content:"popupID=",nocase; content:"doPopup=",nocase; content:"version=",nocase; content:"requested=",nocase; content:"CustomerID=",nocase; content:"owner=",nocase; content:"refer=",nocase; content:"LastPrefs="; content:"GUID=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5809; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/builds/",nocase; content:"fflists.txt",nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:26553; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; http_uri; content:"/related_bottom_v2.php",fast_pattern,nocase; content:"key=",nocase; content:"No="; pkt_data; content:"Host|3A|",nocase; content:"related.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; http_uri; content:"/go3.php",nocase; content:"key=",nocase; content:"NO=",nocase; content:"PID=",nocase; content:"UN=",nocase; pkt_data; content:"Host|3A|",nocase; content:"www.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - third party information collection"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - pass information to its controlling server"; flow:to_server,established; http_uri; content:"/r.php?",nocase; content:"apid=",nocase; content:"ldid=",nocase; content:"tpid=",nocase; content:"ttid=",nocase; content:"uid=",nocase; content:"st=",nocase; content:"cdurl=",nocase; content:"srurl=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5937; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; http_uri; content:"/sidesearch.htm",nocase; pkt_data; content:"Host|3A| sidesearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi",nocase; content:"source=lifestyle",nocase; content:"query=",distance 0,nocase; content:"select=",distance 0,nocase; content:"Host|3A| desksearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"tbid=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"source=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - collect information"; flow:to_server,established; http_uri; content:"/dat/bgf/trpix.gif?",nocase; content:"rdm=",nocase; content:"dlv=",nocase; content:"dmn=",nocase; http_header; content:"Referer|3A| ",nocase; content:"search2.ad.shopnav.com/9899/search/results.php",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5889; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie search assistant hijack"; flow:to_server,established; http_uri; content:"/9899/search/results.php?",fast_pattern,nocase; content:"source=",nocase; content:"pa=",nocase; content:"keywords=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Other-Technologies saria 1.0 outbound connection - send user information"; flow:to_server,established; http_uri; content:"op=",nocase; content:"vic=",nocase; content:"ip=",nocase; content:"port=",fast_pattern,nocase; content:"pass=",nocase; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID=",nocase; content:"CustomerID=",nocase; content:"stealth=",nocase; content:"InstallerLocation="; content:"LastPrefs=",nocase; content:"AgentVersion=",nocase; content:"CTG=",nocase; content:"WSS_GW=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; http_uri; content:"/files",nocase; content:"|29|.|28|t|29|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=37fa737aab25dd0d90cd0821538fae15; classtype:trojan-activity; sid:16498; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE FakeAV landing page request"; flow:to_server,established; http_uri; content:"/payform/?k="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,urlquery.net/report.php?id=91654; classtype:trojan-activity; sid:23472; rev:2; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer outbound connection - post install"; flow:to_server,established; http_uri; content:"/download/Wajam_5402.exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23247; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer url outbound connection - post install"; flow:to_server,established; http_uri; content:"php?v="; content:"&unique_id=",distance 0; content:"&aid=",distance 0; content:"&r=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23246; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE OnlineGames download attempt"; flow:to_server,established; http_uri; content:"/nbok01/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.threatexpert.com/report.aspx?md5=6f489b3bd2ccbbf4ff8ad0c744f7be34; classtype:trojan-activity; sid:16365; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Cutwail spambot server communication attempt"; flow:to_server,established; http_uri; content:"spm/page.php?"; content:"id=",nocase; content:"tick=",nocase; content:"ver=",nocase; content:"smtp=",nocase; content:"task=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatexpert.com/report.aspx?md5=0ecab7ac6e393be442cd834f9573622b; classtype:trojan-activity; sid:16494; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Martuz HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/martuz.cn",nocase; pkt_data; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Gumblar HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/gumblar.cn",nocase; pkt_data; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:7; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; http_uri; content:"/frameset3.asp",fast_pattern,nocase; content:"MID=",nocase; content:"ruleID=",nocase; content:"popupID=",nocase; content:"doPopup=",nocase; content:"version=",nocase; content:"requested=",nocase; content:"CustomerID=",nocase; content:"owner=",nocase; content:"refer=",nocase; content:"LastPrefs="; content:"GUID=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:misc-activity; sid:5809; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/builds/",nocase; content:"fflists.txt",nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:misc-activity; sid:26553; rev:2; )
 alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any ( msg:"PUA-OTHER AOL GAIM AIM-ICQ Protocol Handling buffer overflow attempt"; flow:to_client,established; content:"|2A 02|",depth 2; content:"|00 02 00 06|",within 4,distance 4; byte_jump:1,6,relative; content:"|00 03|",distance 4; content:"text",within 4,distance 2; content:"|00 04|",distance 4; byte_test:2,>,0x0100,0,relative; pcre:"/(\x25(n|t|d)\x20){85}/sm"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,14531; reference:cve,2005-2103; classtype:attempted-user; sid:17357; rev:4; )
 alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any ( msg:"PUA-OTHER Trillian AIM XML tag handling heap buffer overflow attempt"; flow:to_client, established; content:"*|02|",depth 2; content:"|00 04 00 07|",within 4,distance 4; isdataat:1023; pcre:"/\x2A\x02.{4}\x00\x04\x00\x07.*\x3C\x3E[^\x00]{1023,}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,32645; reference:cve,2008-5403; reference:url,dev.aol.com/aim/oscar/; classtype:attempted-user; sid:16514; rev:3; )
-alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any ( msg:"PUA-OTHER mIRC PRIVMSG message processing overflow attempt"; flow:to_client,established; isdataat:317; content:"PRIVMSG"; pcre:"/[^\x3a\s]{309}\sPRIVMSG/i"; metadata:policy balanced-ips drop,policy security-ips drop,service ircd; reference:bugtraq,31552; reference:cve,2008-4449; classtype:attempted-user; sid:15711; rev:3; )
+alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any ( msg:"PUA-OTHER mIRC PRIVMSG message processing overflow attempt"; flow:to_client,established; isdataat:317; content:"PRIVMSG"; pcre:"/[^\x3a\s]{309}\sPRIVMSG/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:ircd; reference:bugtraq,31552; reference:cve,2008-4449; classtype:attempted-user; sid:15711; rev:3; )
 alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any ( msg:"PUA-OTHER Cerulean Studios Trillian image filename handling XML tag overflow attempt"; flow:to_client,established; content:"*|02|",depth 2; content:"|00 04 00 07|",within 4,distance 4; content:"<IMG ",nocase; pcre:"/\x3cimg[^\x3e]*src\x3d(\x22|\x27)?[^\x22\x27\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2008-5401; classtype:attempted-user; sid:15489; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:5; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-OTHER Skype skype4com URI handler memory corruption attempt"; flow:to_client,established; file_data; content:"skype4com|3A|"; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; http_uri; content:"/ms162cfg.jsp?",nocase; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; http_uri; content:"/desktop/",nocase; content:"/toolbar/supremetb",fast_pattern,nocase; content:".cfg",nocase; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:11; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - pass info to server"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"metaresults.copernic.com",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5886; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; http_uri; content:"/copern.light/redirs_all.htm?",fast_pattern,nocase; content:"pgtarg=",nocase; content:"qcat=",nocase; content:"qkw=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:9; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; http_uri; content:"/software/meta/Update/VersionCheckInfo.ini?c=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:10; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; http_uri; content:"/images/nocache/tr/gca/m.gif?",fast_pattern,nocase; content:"rand=",nocase; content:"a=",nocase; content:"u=",nocase; content:"r=",nocase; content:"w=",nocase; content:"myway.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5803; rev:12; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; http_uri; content:"/tr.js?",nocase; content:"a=",nocase; content:"r=",nocase; pkt_data; content:"Host|3A| c4.myway.com"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:11; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL parameter interception bypass command execution attempt"; flow:to_server,established; http_uri; content:"xwork.MethodAccessor.denyMethodExecution",nocase; content:"u0023",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,41592; reference:cve,2010-1870; classtype:attempted-admin; sid:18931; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts Information Disclosure Attempt"; flow:to_server,established; http_uri; content:"/struts",nocase; http_raw_uri; content:"..|25|252f"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32104; reference:cve,2008-6505; classtype:attempted-recon; sid:17533; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"%2E%2E/"; http_raw_uri; content:"%2E%2E/"; pkt_data; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17502; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%2E%2E"; http_raw_uri; content:"/%2E%2E"; pkt_data; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17501; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..%5C/"; http_raw_uri; content:"/..%5C/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17500; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..|5C|/"; http_raw_uri; content:"/..|5C|/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17499; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/|5C|../"; http_raw_uri; content:"/|5C|../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17498; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%5C../"; http_raw_uri; content:"/%5C../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17391; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection: Keep-Alive"; content:"Transfer-Encoding: chunked|0D 0A|Content-Length: 40334"; http_uri; content:".dll"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:19124; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection|3A| Keep-Alive|0D 0A|Okytuasd|3A| AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16480; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache APR apr_fn match infinite loop denial of service attempt"; flow:to_server,established; content:"P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0419; reference:url,issues.apache.org/bugzilla/show_bug.cgi?id=51219; classtype:attempted-dos; sid:19709; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - POST parameter"; flow:to_server,established; http_uri; content:".action"; http_client_body; content:"new",nocase; pcre:"/new(\s|%20)(java|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:23631; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt ParametersInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"new java.io.FileWriter",distance 0,nocase; pcre:"/[\x26\x3f](\w+)=([A-Z]\x3a\x2f|\x2e{2}?\x2f)[^\x26]*?\x2e[a-z0-9\x2e]{1,6}\x26[^\x26]*?FileWriter\x28\s*\1\s*\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0393; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21656; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - DebuggingInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"debug=command",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0394; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21075; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor"; flow:to_server,established; http_uri; content:".action"; http_cookie; content:"|28|",depth 1; pcre:"/^\x28[^\x3D]+?\x29\x3D/m"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0392; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21074; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator alternate"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"allowStaticMethodAccess",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21073; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"new ",distance 0,nocase; pcre:"/new (javax?|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21072; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-APACHE HP Performance Manager Apache Tomcat policy bypass attempt"; flow:to_server,established; content:"/manager",nocase; content:"Authorization",distance 0,nocase; content:"Basic",within 50,nocase; content:"b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36954; reference:bugtraq,37086; reference:cve,2009-3548; reference:cve,2009-3843; classtype:attempted-admin; sid:17156; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24697; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirectAction"; flow:to_server,established; http_uri; content:".action?redirectAction|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27243; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; http_uri; content:".action?redirect|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27244; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?action|3A 7B|",nocase; content:".start|28 29|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:web-application-attack; sid:27245; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; http_uri; content:"(@java.lang.Runtime@getRuntime()).exec("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:27574; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"Q=M&Q=M&Q=M&Q=M&Q=M&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24275; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"C=A&C=A&C=A&C=A&C=A&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24274; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST",nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|",within 16,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"SERVER-IIS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt"; flow:to_server,established; content:"|BF FF EF EF BB BF FE FF EF BB BF FF EF FF EF EF BB BF EF BB|"; metadata:policy balanced-ips drop,policy security-ips drop,service ftp; reference:bugtraq,45542; reference:cve,2010-3972; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-004; classtype:attempted-admin; sid:18243; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"p=1&p=1&p=1&p=1&p=1&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:19192; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"id=1&id=1&id=1&id=1&id=1&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:17254; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_client_body; content:"cmd.exe",nocase; pcre:"/\bcmd\x2eexe\b/is"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:web-application-attack; sid:23626; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS ADFS custom header arbitrary code execution attempt "; flow:to_server,established; http_header; content:"pFilterCtxHdr",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2509; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-070; classtype:attempted-admin; sid:16312; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS multiple extension code execution attempt"; flow:to_server,established; http_uri; content:".asp|3B|.",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4444; classtype:web-application-attack; sid:16356; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:15; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; classtype:web-application-attack; sid:1002; rev:17; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; http_uri; content:"cmd32.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; classtype:web-application-attack; sid:1661; rev:14; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 ( msg:"SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; http_uri; content:"replace|28|replace|28|replace|28|replace|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:25274; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Microsoft Windows Exchange MODPROPS denial of service attempt"; flow:to_server,established; content:"X-MICROSOFT-CDO-MODPROPS:"; content:"Content-Type: text/calendar",nocase; content:"X-MICROSOFT-CDO-MODPROPS:"; isdataat:25; content:!"|0A|",within 1,distance 24; content:"X-MICROSOFT-CDO-MODPROPS",distance 0; content:"X-MICROSOFT-CDO-MODPROPS:",distance 0; content:"END:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-dos; sid:21776; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Multiple IMAP server CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE ",nocase; isdataat:180,relative; pcre:"/^[a-z0-9]+\s+CREATE\s[^\r\n]{180}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; classtype:attempted-admin; sid:17239; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Multiple IMAP server literal CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE ",nocase; content:"{",within 5; byte_test:8,>,180,0,relative, string; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; classtype:attempted-admin; sid:17240; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN"; flow:to_server,established; content:"login|20 7B|",depth 7,offset 3,nocase; byte_test:10,>,1023,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,21252; classtype:attempted-admin; sid:17503; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:established,to_server; flowbits:isset,qualcom.worldmail.ok; dsize:>668; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt"; flow:to_server,established; flowbits:isset,server.mdaemon; content:"FETCH"; content:"BODY"; content:"["; isdataat:256,relative; content:!"]",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:13663; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search date command buffer overflow attempt"; flow:to_server,established; content:"search"; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s+[^\s]{64}/Osmi"; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12213; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail literal search date command buffer overflow attempt"; flow:to_server,established; content:"search"; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s*\{\s/smi"; byte_test:5,>,64,0,string,dec,relative; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12212; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s*\{\s/smi"; byte_test:5,>,250,0,string,dec,relative; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12115; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s+[^\s]{250}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12114; rev:5; )
-alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL Qualcomm WorldMail Server Response"; flow:established,to_client; content:"WorldMail IMAP4 Server"; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; sid:17327; rev:8; )
-alert tcp $EXTERNAL_NET 110 -> $HOME_NET any ( msg:"SERVER-MAIL IBM Lotus Notes HTML Speed Reader Long URL buffer overflow attempt"; flow:established,to_client; file_data; content:"Content-Disposition|3A| attachment",nocase; content:"<a ",nocase; content:"href=",distance 0; content:!"|3E|",within 500; pcre:"/href=.*?[\x22\x27][^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service pop3; reference:bugtraq,16576; reference:cve,2005-2618; classtype:attempted-user; sid:17331; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Novell GroupWise Internet Agent SMTP AUTH LOGIN command buffer overflow attempt"; flow:to_server,established; content:"AUTH",nocase; content:"LOGIN",distance 0,nocase; pcre:"/^\s*AUTH\s+LOGIN[^\x0a\x0d]{100,}(?<!\x0d)\x0a/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35065; reference:cve,2009-1636; classtype:attempted-admin; sid:16193; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Micrsoft Office Outlook Web Access invalid CSS escape sequence script execution attempt "; flow:to_server,established; content:"|22 5C 5C 22|",fast_pattern; content:"</style>",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2008-2248; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-039; classtype:misc-attack; sid:13895; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Novell GroupWise internet agent RRULE parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"BEGIN:VCALENDAR",nocase; content:"|0A|RRULE",distance 0,nocase; isdataat:300,relative; content:!"|0A|",within 300; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,44732; reference:cve,2010-4715; reference:cve,2011-2662; reference:cve,2011-2663; classtype:attempted-admin; sid:18768; rev:10; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Content-Disposition attachment"; flow:to_server,established; content:"Content-Disposition|3A|",nocase; content:"attachment",distance 0,nocase; pcre:"/^Content-Disposition\x3A\s*attachment/smi"; flowbits:set,smtp.contenttype.attachment; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; sid:17332; rev:7; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Majordomo2 smtp directory traversal attempt"; flow:to_server,established; content:"help ../../../../../.."; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18765; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL IBM Lotus Notes DOC attachment viewer buffer overflow"; flow:to_server,established; content:"Content-Disposition|3A| attachment|3B|"; content:"filename=|22|poc.doc|22|",distance 0; content:"Mb4AAACr",distance 0; content:"WnoHAQQABAAAAAUAtQFUaGlzIGlzIGEgdGVzdA0K",distance 0; content:"/wAB5kBBQUFB//8",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,26146; reference:cve,2007-5544; classtype:attempted-user; sid:15485; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"SERVER-MAIL Exim and Dovecot mail from remote command execution attempt"; flow:to_server,established; content:"MAIL FROM|3A|",nocase; content:"|60|wget",within 50,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243; reference:url,osvdb.org/show/osvdb/93004; classtype:attempted-admin; sid:27532; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_client; file_data; content:"href=|22|/Reports/Pages/Report.aspx?",nocase; content:"SelectedSubTabId=",distance 0,nocase; content:"script",within 50,nocase; pcre:"/SelectedSubTabId=[^>]*?([\x22\x27]|%22|%27)\s*?>\s*?<[^>]*?script/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:attempted-user; sid:24356; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_server; http_uri; content:"/Reports/Pages/Report.aspx"; content:"SelectedSubTabId=",nocase; pcre:"/[?&]SelectedSubTabId=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:web-application-attack; sid:24355; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-MSSQL Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; file_data; content:"<object classid='clsid|3A|10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'",nocase; content:"SQLDMO.SQLServer",nocase; pcre:"/progid\s*\x3d\s*[\x22\x27]SQLDMO\x2eSQLServer[\x22\x27]/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:16208; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Database COM_FIELD_LIST Buffer Overflow attempt"; flow:to_server,established; content:"|04|",depth 1,offset 4; pcre:"/^[^\x0D\x0A\x00]{512}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2010-1850; classtype:attempted-user; sid:16703; rev:5; )
-alert tcp any any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt"; flow:to_server,established; content:"|00 00 01|",depth 3,offset 1,fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",within 23,distance 9; pcre:"/^\w+\x00/iRm"; detection_filter:track by_src,count 100, seconds 5; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2012-2122; classtype:attempted-admin; sid:23115; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL database Procedure Analyse denial of service attempt - 2"; flow:to_server,established; content:",|00 00 00 03|select * from `theview` procedure analyse|28 29|",depth 48; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16349; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL database PROCEDURE ANALYSE denial of service attempt - 1"; flow:to_server,established; content:"'|00 00 00 03|select * from `v1` procedure analyse|28 29|",depth 43; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16348; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL create function mysql.func arbitrary library injection attempt"; flow:to_server,established; content:"|03|",depth 5; content:"mysql.func",distance 0,nocase; pcre:"/(INSERT|UPDATE)\s*[\s\w]*((mysql\.)?func)[^\r\n]+values\s*\([^\)]+\x2c[\x22\x27][^\x22\x27]*\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,12781; reference:cve,2005-0710; classtype:attempted-user; sid:17412; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL create function libc arbitrary code execution attempt"; flow:to_server,established; content:"|03|create function",depth 16,offset 4; content:"libc.so",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:attempted-user; sid:15952; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|",depth 1,offset 4; content:"SELECT",distance 0,nocase; content:"UpdateXML",distance 1,nocase; pcre:"/^.{4}\x03\s*SELECT\s+UpdateXML\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x2c.*?\x29/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15443; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|",depth 1,offset 4; content:"SELECT",distance 0,nocase; content:"ExtractValue",distance 1,nocase; pcre:"/^.{4}\x03\s*SELECT\s+ExtractValue\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x29/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15442; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL yaSSL library cert parsing stack overflow attempt"; flow:to_server,established; content:"|16 03 01|",depth 3; content:"|0B|",within 1,distance 2; content:"*|86 00 84 00 00 04|",within 8,distance 56; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,37640; reference:cve,2009-4484; classtype:attempted-user; sid:16385; rev:5; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL grant file long database name stack overflow attempt"; flow:to_server,established; content:"grant ",nocase; isdataat:193,relative; pcre:"/grant\s.+?\son\s[^\.\s]{193}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,56769; reference:cve,2012-5611; classtype:attempted-user; sid:24897; rev:3; )
-alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any ( msg:"SERVER-MYSQL Oracle MySQL user enumeration attempt"; flow:to_client,established; content:"|15 04|",depth 2,offset 5; content:"Access denied for user"; detection_filter:track by_dst,count 10, seconds 2; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,56766; reference:cve,2012-5615; classtype:attempted-recon; sid:24908; rev:4; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL select UpdateXML nested xml elements denial of service attempt"; flow:to_server,established; content:"SELECT ",nocase; content:"UpdateXML|28|",within 50,nocase; isdataat:1024; content:!"|29|",within 1024; pcre:"/^\s*[\x22\x27]<\w>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2012-5614; classtype:attempted-dos; sid:24909; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt"; flow:to_server,established; content:"ZZZZZZZZZZZROM t WHERE 1=1",fast_pattern,fast_pattern_offset 9,fast_pattern_length 16; content:"ZZZZZZZZZZZZZZZZZZZZ",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:bugtraq,56768; reference:cve,2012-5612; classtype:attempted-user; sid:24910; rev:1; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0300000002000000",within 16,distance 2; byte_test:8,>=,65535,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26299; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0500000001000000",within 16,distance 2; byte_test:8,>=,65535,10,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26300; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0600000001000000",within 16,distance 2; content:"01000000",within 8,distance 10; byte_test:8,>=,65535,0,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26301; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26302; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26303; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26304; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26305; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26306; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26307; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26308; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26309; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26310; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26311; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26312; rev:2; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26313; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Outside In CorelDRAW file parser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cdr; file_data; content:"fnttfont",nocase; byte_test:4,>,2147483647,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2264; reference:url,www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html; classtype:attempted-user; sid:21921; rev:2; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Outside In CorelDRAW file parser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cdr; file_data; content:"fnttfont",nocase; byte_test:4,<,18,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2264; reference:url,www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html; classtype:attempted-user; sid:21920; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:5; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-OTHER Skype skype4com URI handler memory corruption attempt"; flow:to_client,established; file_data; content:"skype4com|3A|"; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; http_uri; content:"/ms162cfg.jsp?",nocase; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; http_uri; content:"/desktop/",nocase; content:"/toolbar/supremetb",fast_pattern,nocase; content:".cfg",nocase; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:11; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - pass info to server"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"metaresults.copernic.com",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5886; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; http_uri; content:"/copern.light/redirs_all.htm?",fast_pattern,nocase; content:"pgtarg=",nocase; content:"qcat=",nocase; content:"qkw=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:9; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; http_uri; content:"/software/meta/Update/VersionCheckInfo.ini?c=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:10; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; http_uri; content:"/images/nocache/tr/gca/m.gif?",fast_pattern,nocase; content:"rand=",nocase; content:"a=",nocase; content:"u=",nocase; content:"r=",nocase; content:"w=",nocase; content:"myway.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5803; rev:12; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; http_uri; content:"/tr.js?",nocase; content:"a=",nocase; content:"r=",nocase; pkt_data; content:"Host|3A| c4.myway.com"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert; service:http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:11; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL parameter interception bypass command execution attempt"; flow:to_server,established; http_uri; content:"xwork.MethodAccessor.denyMethodExecution",nocase; content:"u0023",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,41592; reference:cve,2010-1870; classtype:attempted-admin; sid:18931; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts Information Disclosure Attempt"; flow:to_server,established; http_uri; content:"/struts",nocase; http_raw_uri; content:"..|25|252f"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32104; reference:cve,2008-6505; classtype:attempted-recon; sid:17533; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"%2E%2E/"; http_raw_uri; content:"%2E%2E/"; pkt_data; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17502; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%2E%2E"; http_raw_uri; content:"/%2E%2E"; pkt_data; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17501; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..%5C/"; http_raw_uri; content:"/..%5C/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17500; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..|5C|/"; http_raw_uri; content:"/..|5C|/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17499; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/|5C|../"; http_raw_uri; content:"/|5C|../"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17498; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%5C../"; http_raw_uri; content:"/%5C../"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17391; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection: Keep-Alive"; content:"Transfer-Encoding: chunked|0D 0A|Content-Length: 40334"; http_uri; content:".dll"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:19124; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection|3A| Keep-Alive|0D 0A|Okytuasd|3A| AAAA"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16480; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache APR apr_fn match infinite loop denial of service attempt"; flow:to_server,established; content:"P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0419; reference:url,issues.apache.org/bugzilla/show_bug.cgi?id=51219; classtype:attempted-dos; sid:19709; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - POST parameter"; flow:to_server,established; http_uri; content:".action"; http_client_body; content:"new",nocase; pcre:"/new(\s|%20)(java|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:23631; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt ParametersInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"new java.io.FileWriter",distance 0,nocase; pcre:"/[\x26\x3f](\w+)=([A-Z]\x3a\x2f|\x2e{2}?\x2f)[^\x26]*?\x2e[a-z0-9\x2e]{1,6}\x26[^\x26]*?FileWriter\x28\s*\1\s*\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0393; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21656; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - DebuggingInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"debug=command",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0394; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21075; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor"; flow:to_server,established; http_uri; content:".action"; http_cookie; content:"|28|",depth 1; pcre:"/^\x28[^\x3D]+?\x29\x3D/m"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0392; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21074; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator alternate"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"allowStaticMethodAccess",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21073; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"new ",distance 0,nocase; pcre:"/new (javax?|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21072; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-APACHE HP Performance Manager Apache Tomcat policy bypass attempt"; flow:to_server,established; content:"/manager",nocase; content:"Authorization",distance 0,nocase; content:"Basic",within 50,nocase; content:"b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36954; reference:bugtraq,37086; reference:cve,2009-3548; reference:cve,2009-3843; classtype:attempted-admin; sid:17156; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24697; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirectAction"; flow:to_server,established; http_uri; content:".action?redirectAction|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27243; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; http_uri; content:".action?redirect|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27244; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?action|3A 7B|",nocase; content:".start|28 29|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:web-application-attack; sid:27245; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; http_uri; content:"(@java.lang.Runtime@getRuntime()).exec("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:27574; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"Q=M&Q=M&Q=M&Q=M&Q=M&"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24275; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"C=A&C=A&C=A&C=A&C=A&"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24274; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST",nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|",within 16,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"SERVER-IIS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt"; flow:to_server,established; content:"|BF FF EF EF BB BF FE FF EF BB BF FF EF FF EF EF BB BF EF BB|"; metadata:policy balanced-ips drop,policy security-ips drop; service:ftp; reference:bugtraq,45542; reference:cve,2010-3972; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-004; classtype:attempted-admin; sid:18243; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"p=1&p=1&p=1&p=1&p=1&"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:19192; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; http_client_body; content:"id=1&id=1&id=1&id=1&id=1&"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:17254; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_client_body; content:"cmd.exe",nocase; pcre:"/\bcmd\x2eexe\b/is"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:web-application-attack; sid:23626; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS ADFS custom header arbitrary code execution attempt "; flow:to_server,established; http_header; content:"pFilterCtxHdr",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2509; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-070; classtype:attempted-admin; sid:16312; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS multiple extension code execution attempt"; flow:to_server,established; http_uri; content:".asp|3B|.",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-4444; classtype:web-application-attack; sid:16356; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:15; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1002; rev:17; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; http_uri; content:"cmd32.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1661; rev:14; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 ( msg:"SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; http_uri; content:"replace|28|replace|28|replace|28|replace|28|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:25274; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Microsoft Windows Exchange MODPROPS denial of service attempt"; flow:to_server,established; content:"X-MICROSOFT-CDO-MODPROPS:"; content:"Content-Type: text/calendar",nocase; content:"X-MICROSOFT-CDO-MODPROPS:"; isdataat:25; content:!"|0A|",within 1,distance 24; content:"X-MICROSOFT-CDO-MODPROPS",distance 0; content:"X-MICROSOFT-CDO-MODPROPS:",distance 0; content:"END:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-dos; sid:21776; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Multiple IMAP server CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE ",nocase; isdataat:180,relative; pcre:"/^[a-z0-9]+\s+CREATE\s[^\r\n]{180}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; classtype:attempted-admin; sid:17239; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Multiple IMAP server literal CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE ",nocase; content:"{",within 5; byte_test:8,>,180,0,relative, string; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; classtype:attempted-admin; sid:17240; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN"; flow:to_server,established; content:"login|20 7B|",depth 7,offset 3,nocase; byte_test:10,>,1023,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,21252; classtype:attempted-admin; sid:17503; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:established,to_server; flowbits:isset,qualcom.worldmail.ok; dsize:>668; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt"; flow:to_server,established; flowbits:isset,server.mdaemon; content:"FETCH"; content:"BODY"; content:"["; isdataat:256,relative; content:!"]",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:13663; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search date command buffer overflow attempt"; flow:to_server,established; content:"search"; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s+[^\s]{64}/Osmi"; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12213; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail literal search date command buffer overflow attempt"; flow:to_server,established; content:"search"; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s*\{\s/smi"; byte_test:5,>,64,0,string,dec,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12212; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s*\{\s/smi"; byte_test:5,>,250,0,string,dec,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12115; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s+[^\s]{250}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12114; rev:5; )
+alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL Qualcomm WorldMail Server Response"; flow:established,to_client; content:"WorldMail IMAP4 Server"; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; service:imap; classtype:protocol-command-decode; sid:17327; rev:8; )
+alert tcp $EXTERNAL_NET 110 -> $HOME_NET any ( msg:"SERVER-MAIL IBM Lotus Notes HTML Speed Reader Long URL buffer overflow attempt"; flow:established,to_client; file_data; content:"Content-Disposition|3A| attachment",nocase; content:"<a ",nocase; content:"href=",distance 0; content:!"|3E|",within 500; pcre:"/href=.*?[\x22\x27][^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:pop3; reference:bugtraq,16576; reference:cve,2005-2618; classtype:attempted-user; sid:17331; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Novell GroupWise Internet Agent SMTP AUTH LOGIN command buffer overflow attempt"; flow:to_server,established; content:"AUTH",nocase; content:"LOGIN",distance 0,nocase; pcre:"/^\s*AUTH\s+LOGIN[^\x0a\x0d]{100,}(?<!\x0d)\x0a/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,35065; reference:cve,2009-1636; classtype:attempted-admin; sid:16193; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Micrsoft Office Outlook Web Access invalid CSS escape sequence script execution attempt "; flow:to_server,established; content:"|22 5C 5C 22|",fast_pattern; content:"</style>",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2008-2248; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-039; classtype:misc-attack; sid:13895; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Novell GroupWise internet agent RRULE parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"BEGIN:VCALENDAR",nocase; content:"|0A|RRULE",distance 0,nocase; isdataat:300,relative; content:!"|0A|",within 300; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,44732; reference:cve,2010-4715; reference:cve,2011-2662; reference:cve,2011-2663; classtype:attempted-admin; sid:18768; rev:10; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Content-Disposition attachment"; flow:to_server,established; content:"Content-Disposition|3A|",nocase; content:"attachment",distance 0,nocase; pcre:"/^Content-Disposition\x3A\s*attachment/smi"; flowbits:set,smtp.contenttype.attachment; flowbits:noalert; service:smtp; classtype:protocol-command-decode; sid:17332; rev:7; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Majordomo2 smtp directory traversal attempt"; flow:to_server,established; content:"help ../../../../../.."; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18765; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL IBM Lotus Notes DOC attachment viewer buffer overflow"; flow:to_server,established; content:"Content-Disposition|3A| attachment|3B|"; content:"filename=|22|poc.doc|22|",distance 0; content:"Mb4AAACr",distance 0; content:"WnoHAQQABAAAAAUAtQFUaGlzIGlzIGEgdGVzdA0K",distance 0; content:"/wAB5kBBQUFB//8",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,26146; reference:cve,2007-5544; classtype:attempted-user; sid:15485; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"SERVER-MAIL Exim and Dovecot mail from remote command execution attempt"; flow:to_server,established; content:"MAIL FROM|3A|",nocase; content:"|60|wget",within 50,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243; reference:url,osvdb.org/show/osvdb/93004; classtype:attempted-admin; sid:27532; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_client; file_data; content:"href=|22|/Reports/Pages/Report.aspx?",nocase; content:"SelectedSubTabId=",distance 0,nocase; content:"script",within 50,nocase; pcre:"/SelectedSubTabId=[^>]*?([\x22\x27]|%22|%27)\s*?>\s*?<[^>]*?script/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:attempted-user; sid:24356; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_server; http_uri; content:"/Reports/Pages/Report.aspx"; content:"SelectedSubTabId=",nocase; pcre:"/[?&]SelectedSubTabId=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:web-application-attack; sid:24355; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-MSSQL Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; file_data; content:"<object classid='clsid|3A|10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'",nocase; content:"SQLDMO.SQLServer",nocase; pcre:"/progid\s*\x3d\s*[\x22\x27]SQLDMO\x2eSQLServer[\x22\x27]/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:16208; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Database COM_FIELD_LIST Buffer Overflow attempt"; flow:to_server,established; content:"|04|",depth 1,offset 4; pcre:"/^[^\x0D\x0A\x00]{512}/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2010-1850; classtype:attempted-user; sid:16703; rev:5; )
+alert tcp any any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt"; flow:to_server,established; content:"|00 00 01|",depth 3,offset 1,fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",within 23,distance 9; pcre:"/^\w+\x00/iRm"; detection_filter:track by_src,count 100, seconds 5; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2012-2122; classtype:attempted-admin; sid:23115; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL database Procedure Analyse denial of service attempt - 2"; flow:to_server,established; content:",|00 00 00 03|select * from `theview` procedure analyse|28 29|",depth 48; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16349; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL database PROCEDURE ANALYSE denial of service attempt - 1"; flow:to_server,established; content:"'|00 00 00 03|select * from `v1` procedure analyse|28 29|",depth 43; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16348; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL create function mysql.func arbitrary library injection attempt"; flow:to_server,established; content:"|03|",depth 5; content:"mysql.func",distance 0,nocase; pcre:"/(INSERT|UPDATE)\s*[\s\w]*((mysql\.)?func)[^\r\n]+values\s*\([^\)]+\x2c[\x22\x27][^\x22\x27]*\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,12781; reference:cve,2005-0710; classtype:attempted-user; sid:17412; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL create function libc arbitrary code execution attempt"; flow:to_server,established; content:"|03|create function",depth 16,offset 4; content:"libc.so",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:attempted-user; sid:15952; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|",depth 1,offset 4; content:"SELECT",distance 0,nocase; content:"UpdateXML",distance 1,nocase; pcre:"/^.{4}\x03\s*SELECT\s+UpdateXML\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x2c.*?\x29/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15443; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|",depth 1,offset 4; content:"SELECT",distance 0,nocase; content:"ExtractValue",distance 1,nocase; pcre:"/^.{4}\x03\s*SELECT\s+ExtractValue\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x29/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15442; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL yaSSL library cert parsing stack overflow attempt"; flow:to_server,established; content:"|16 03 01|",depth 3; content:"|0B|",within 1,distance 2; content:"*|86 00 84 00 00 04|",within 8,distance 56; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,37640; reference:cve,2009-4484; classtype:attempted-user; sid:16385; rev:5; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL grant file long database name stack overflow attempt"; flow:to_server,established; content:"grant ",nocase; isdataat:193,relative; pcre:"/grant\s.+?\son\s[^\.\s]{193}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,56769; reference:cve,2012-5611; classtype:attempted-user; sid:24897; rev:3; )
+alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any ( msg:"SERVER-MYSQL Oracle MySQL user enumeration attempt"; flow:to_client,established; content:"|15 04|",depth 2,offset 5; content:"Access denied for user"; detection_filter:track by_dst,count 10, seconds 2; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,56766; reference:cve,2012-5615; classtype:attempted-recon; sid:24908; rev:4; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL select UpdateXML nested xml elements denial of service attempt"; flow:to_server,established; content:"SELECT ",nocase; content:"UpdateXML|28|",within 50,nocase; isdataat:1024; content:!"|29|",within 1024; pcre:"/^\s*[\x22\x27]<\w>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2012-5614; classtype:attempted-dos; sid:24909; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt"; flow:to_server,established; content:"ZZZZZZZZZZZROM t WHERE 1=1",fast_pattern,fast_pattern_offset 9,fast_pattern_length 16; content:"ZZZZZZZZZZZZZZZZZZZZ",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:bugtraq,56768; reference:cve,2012-5612; classtype:attempted-user; sid:24910; rev:1; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0300000002000000",within 16,distance 2; byte_test:8,>=,65535,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26299; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0500000001000000",within 16,distance 2; byte_test:8,>=,65535,10,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26300; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"geometryn(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0700000001000000",within 16,distance 10; content:"0600000001000000",within 16,distance 2; content:"01000000",within 8,distance 10; byte_test:8,>=,65535,0,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26301; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26302; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26303; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26304; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"astext(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26305; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26306; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26307; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26308; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"st_area(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26309; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"02000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26310; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0300000001000000",within 16,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26311; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0500000001000000",within 16,distance 10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26312; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"envelope(",fast_pattern,nocase; content:"0x",distance 0,nocase; content:"0600000001000000",within 16,distance 10; content:"01000000",within 8,distance 10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:policy balanced-ips drop,policy security-ips drop; service:mysql; reference:cve,2013-1861; reference:url,osvdb.org/show/osvdb/91415; classtype:attempted-admin; sid:26313; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Outside In CorelDRAW file parser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cdr; file_data; content:"fnttfont",nocase; byte_test:4,>,2147483647,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2264; reference:url,www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html; classtype:attempted-user; sid:21921; rev:2; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Outside In CorelDRAW file parser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cdr; file_data; content:"fnttfont",nocase; byte_test:4,<,18,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2011-2264; reference:url,www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html; classtype:attempted-user; sid:21920; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 ( msg:"SERVER-ORACLE DBMS_JAVA.SET_OUTPUT_TO_JAVA privilege escalation attempt"; flow:to_server,established; content:"DBMS_JAVA.SET_OUTPUT_TO_JAVA",fast_pattern; content:"AUTONOMOUS_TRANSACTION",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,38115; reference:cve,2010-0867; classtype:attempted-admin; sid:18996; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 ( msg:"SERVER-ORACLE Secure Backup msgid 0x901 username field overflow attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|",depth 8,offset 12; isdataat:300,relative; byte_test:4,>,300,12,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,33177; reference:cve,2008-5444; classtype:attempted-admin; sid:15255; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup Administration server authentication bypass attempt"; flow:to_server,established; http_uri; content:"login.php",nocase; http_client_body; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname=[^&]*(%3[CE]|-)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35672; reference:bugtraq,41596; reference:cve,2009-1977; reference:cve,2010-0904; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16192; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup Administration server authentication bypass attempt"; flow:to_server,established; http_uri; content:"login.php",nocase; http_client_body; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname=[^&]*(%3[CE]|-)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35672; reference:bugtraq,41596; reference:cve,2009-1977; reference:cve,2010-0904; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16192; rev:7; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE xdb.dbms_xmlschema buffer overflow attempt"; flow:to_server,established; content:"xdb.dbms_xmlschema.generateschema",nocase; pcre:"/\s*\x28(\x27[^\x27]{64}|\x27[^\x27]*\x27\s*,\s*\x27[^\x27]{64})/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,16287; reference:cve,2006-0272; classtype:string-detect; sid:17659; rev:4; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt"; flow:to_server,established; content:"DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC",nocase; pcre:"/^\s*\x28[^\x2c]+\x2c[^\x2c]+?\x3b/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,35685; reference:cve,2009-1021; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16189; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9700 ( msg:"SERVER-ORACLE Application Server BPEL module cross site scripting attempt"; flow:to_server,established; content:"GET /BPELConsole/default/activities.jsp",depth 39,nocase; pcre:"/(\x3F|\x26)[^\x3D]*(\x27|%27)[^\x3D]*(\x3C|%3c)script(\x3E|%3e)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4014; classtype:attempted-user; sid:15445; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup administration server login.php cookies command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; pcre:"/ora_osb_bgcookie=[^\w\d\-]+?/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-4006; classtype:attempted-admin; sid:17638; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9700 ( msg:"SERVER-ORACLE Application Server BPEL module cross site scripting attempt"; flow:to_server,established; content:"GET /BPELConsole/default/activities.jsp",depth 39,nocase; pcre:"/(\x3F|\x26)[^\x3D]*(\x27|%27)[^\x3D]*(\x3C|%3c)script(\x3E|%3e)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4014; classtype:attempted-user; sid:15445; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup administration server login.php cookies command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; pcre:"/ora_osb_bgcookie=[^\w\d\-]+?/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33177; reference:cve,2008-4006; classtype:attempted-admin; sid:17638; rev:4; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE database server crafted view privelege escalation attempt"; flow:to_server, established; content:"CREATE VIEW",nocase; content:"FROM",distance 0,nocase; content:"sys.testtable t1, sys.testtable t2",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,17246; reference:cve,2006-1705; classtype:attempted-admin; sid:17619; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_ASSERT.simple_sql_name double quote SQL injection attempt"; flow:to_server,established; content:"DBMS_ASSERT.simple_sql_name|28|"; pcre:"/DBMS_ASSERT\x2Esimple_sql_name\x28[^\x29\x22]*?\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,19203; classtype:misc-attack; sid:17590; rev:4; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE UTL_FILE directory traversal attempt"; flow:to_server,established; content:"UTL_FILE.FOPEN",nocase; content:"|5C 5C 2E 5C|",distance 0,fast_pattern; pcre:"/UTL_FILE\.FOPEN\s*\x28(?P<q1>\x22|\x27).*?(?P=q1)[\s\x40]*\x2C[\s\x40]*[\x22\x27]\x5C\x5C\x2E\x5C/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,12749; reference:cve,2005-0701; classtype:misc-attack; sid:17584; rev:3; )
@@ -3566,7 +3566,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Orac
 alert tcp $HOME_NET $ORACLE_PORTS -> $EXTERNAL_NET any ( msg:"SERVER-ORACLE Oracle connection established"; flow:to_server, established; content:"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME="; flowbits:set,oracle.connect; flowbits:noalert; classtype:attempted-user; sid:17418; rev:4; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Database Intermedia Denial of Service Attempt"; flow:to_server,established; content:"TO_BLOB(HEXTORAW",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*0{4,6}\s*\x27\s*\x29\s/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13239; classtype:denial-of-service; sid:17417; rev:4; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Database Intermedia Denial of Service Attempt"; flow:to_server,established; content:"ORDSYS.ORD",nocase; pcre:"/(Image|Doc)/iR"; pcre:"/(Set|Check)\x10Properties/iR"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13239; classtype:denial-of-service; sid:17416; rev:3; )
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Application Server Forms Arbitrary System Command Execution Attempt"; flow:to_server,established; http_uri; content:"f90servlet?form=",nocase; pcre:"/form=[cde]\x3a(\x5C|\x2F)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,14319; reference:cve,2005-2372; classtype:attempted-user; sid:17350; rev:2; )
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Application Server Forms Arbitrary System Command Execution Attempt"; flow:to_server,established; http_uri; content:"f90servlet?form=",nocase; pcre:"/form=[cde]\x3a(\x5C|\x2F)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,14319; reference:cve,2005-2372; classtype:attempted-user; sid:17350; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE database server crafted view privelege escalation attempt"; flow:to_server, established; content:"CREATE VIEW",nocase; content:"FROM",distance 0,nocase; content:"sys.te6sttable t1, sys.testtable t2",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,17246; reference:cve,2006-1705; classtype:attempted-admin; sid:17313; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sdo_lrs.convert_to_lrs_layer buffer overflow attempt"; flow:to_server,established; content:"sdo_lrs.convert_to_lrs_layer",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,20588; reference:cve,2006-5340; classtype:attempted-user; sid:17293; rev:3; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_METADATA Package SQL Injection attempt"; flow:to_server,established; content:"SYS.DBMS_METADATA.GET_DDL|28 27 27 27 7C 7C|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2005-1197; classtype:attempted-user; sid:17270; rev:2; )
@@ -3576,41 +3576,41 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 ( msg:"SERVER-ORACLE Secure Backu
 alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 ( msg:"SERVER-ORACLE Secure Backup NDMP packet handling DoS attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 09 00|",depth 8,offset 12; content:!"|00 00 00 00|",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,33177; reference:cve,2008-5441; classtype:attempted-dos; sid:16777; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE procedure SQL injection attempt"; flow:to_server,established; content:"DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE",nocase; pcre:"/^\s*\x28[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,39422; reference:cve,2010-0870; classtype:attempted-user; sid:16723; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE procedure SQL injection attempt"; flow:to_server,established; content:"DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE",nocase; pcre:"/^\s*\x28\s*[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,39422; reference:cve,2010-0870; classtype:attempted-user; sid:16722; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"SERVER-ORACLE Oracle Secure Enterprise Search search_p_groups cross-site scripting attempt"; flow:to_server,established; content:"search|2F|query|2F|search",nocase; content:"search_p_groups|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35681; reference:cve,2009-1968; classtype:attempted-user; sid:16717; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"SERVER-ORACLE Oracle Secure Enterprise Search search_p_groups cross-site scripting attempt"; flow:to_server,established; content:"search|2F|query|2F|search",nocase; content:"search_p_groups|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35681; reference:cve,2009-1968; classtype:attempted-user; sid:16717; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1000: ( msg:"SERVER-ORACLE Database sys.olapimpl_t package odcitablestart overflow attempt"; flow:to_server,established; content:"sys.olapimpl_t.odcitablestart|28|",nocase; pcre:"/sys\x2eolapimpl\x5ft\x2eodcitablestart\x28[^\x2c]+\x2c[^\x2c]+\x2c\s*\x27?[^\x2c\x27]{303}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2008-3974; classtype:attempted-user; sid:16516; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5556 ( msg:"SERVER-ORACLE WebLogic Server Node Manager arbitrary command execution attempt"; flow:to_server,established; content:"EXECSCRIPT",nocase; pcre:"/^EXECSCRIPT\s+\.\.[\x2F\x5C]\.\./smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,37926; reference:cve,2010-0073; reference:url,www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html; classtype:attempted-admin; sid:16438; rev:3; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server CREATE_TABLES SQL injection attempt"; flow:to_server,established; content:"ctxsys.drvxtabc.create_tables",nocase; pcre:"/^\s*\x28\s*(\x27[^\x27\x22]*\x27\s*\x2c\s*)?\x27[^\x27\x22]*\x22/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,36748; reference:cve,2009-1991; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html; classtype:attempted-admin; sid:16290; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Application Server Portal cross site scripting attempt"; flow:to_server,established; http_uri; content:"/sso/jsp/login.jsp"; content:"site2pstoretoken",nocase; pcre:"/[?&]site2pstoretoken=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/33761; classtype:attempted-user; sid:16215; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server authentication bypass attempt - via GET"; flow:to_server,established; http_uri; content:"login.php?",nocase; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname\x3d[^\x26]*[\x3c\x3e]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35672; reference:cve,2009-1977; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16191; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server property_box.php command injection attempt"; flow:to_server,established; http_uri; content:"property_box.php?"; content:"type=Sections"; content:"other="; pcre:"/other=[^\x26]*[\x21-\x24\x27\x28-\x2a\x2d\x2f\x3b\x3c\x3e\x3f\x40\x5b-\x5d\x7b-\x7e]/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35678; reference:cve,2009-1978; classtype:attempted-admin; sid:16190; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 ( msg:"SERVER-ORACLE Application Server 9i Webcache file corruption attempt"; flow:to_server,established; content:"webcacheadmin?"; content:"SCREEN_ID=CGA.CacheDump"; content:"ACTION=Submit&index=1"; content:"cache_dump_file="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13420; reference:cve,2005-1382; classtype:attempted-admin; sid:15955; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Application Server Portal cross site scripting attempt"; flow:to_server,established; http_uri; content:"/sso/jsp/login.jsp"; content:"site2pstoretoken",nocase; pcre:"/[?&]site2pstoretoken=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,secunia.com/advisories/33761; classtype:attempted-user; sid:16215; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server authentication bypass attempt - via GET"; flow:to_server,established; http_uri; content:"login.php?",nocase; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname\x3d[^\x26]*[\x3c\x3e]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35672; reference:cve,2009-1977; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16191; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server property_box.php command injection attempt"; flow:to_server,established; http_uri; content:"property_box.php?"; content:"type=Sections"; content:"other="; pcre:"/other=[^\x26]*[\x21-\x24\x27\x28-\x2a\x2d\x2f\x3b\x3c\x3e\x3f\x40\x5b-\x5d\x7b-\x7e]/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35678; reference:cve,2009-1978; classtype:attempted-admin; sid:16190; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 ( msg:"SERVER-ORACLE Application Server 9i Webcache file corruption attempt"; flow:to_server,established; content:"webcacheadmin?"; content:"SCREEN_ID=CGA.CacheDump"; content:"ACTION=Submit&index=1"; content:"cache_dump_file="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,13420; reference:cve,2005-1382; classtype:attempted-admin; sid:15955; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server RemoveWorkspace SQL injection attempt"; flow:to_server,established; content:".RemoveWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15725; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server MergeWorkspace SQL injection attempt"; flow:to_server,established; content:".MergeWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15724; rev:2; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt"; flow:to_server,established; content:".CompressWorkspaceTree",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*?\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15723; rev:3; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL injection attempt"; flow:to_server,established; content:"SYS.DBMS_AQADM_SYS.GRANT_TYPE_ACCESS",nocase; pcre:"/SYS\x2eDBMS\x5fAQADM\x5fSYS\x2eGRANT\x5fTYPE\x5fACCESS\s*\x28\s*\x27[^\x2c\x20\x27]*[\x2c\x20]/is"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0977; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; reference:url,www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html; classtype:attempted-admin; sid:11204; rev:3; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt"; flow:to_server,established; content:".RollbackWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\s\x2c\x29]/iR"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0978; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:attempted-admin; sid:15515; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup POST exec_qr command injection attempt"; flow:to_server,established; http_client_body; content:"button=Logout"; http_uri; content:"login.php"; http_client_body; content:!"clear=yes"; content:"ora_osb_bgcookie"; content:"rbtool"; pcre:"/(ora_osb_bgcookie|rbtool)=[^\x20\x26\x3b]{1}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-5448; classtype:attempted-user; sid:15262; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup exec_qr command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; content:"rbtool"; pcre:"/(ora_osb_bgcookie|rbtool)=[^\x20\x26\x3b]{1}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-5448; classtype:attempted-user; sid:15261; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup login.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-5449; classtype:attempted-admin; sid:15258; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup common.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"common.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4006; classtype:attempted-admin; sid:15257; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE BPEL process manager XSS injection attempt"; flow:to_server,established; http_uri; content:"/BPELConsole/default/activities.jsp?",nocase; content:"'",distance 0; metadata:policy balanced-ips drop,service http; reference:cve,2008-4014; reference:url,www.securityfocus.com/archive/1/500060; classtype:web-application-attack; sid:15256; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup POST exec_qr command injection attempt"; flow:to_server,established; http_client_body; content:"button=Logout"; http_uri; content:"login.php"; http_client_body; content:!"clear=yes"; content:"ora_osb_bgcookie"; content:"rbtool"; pcre:"/(ora_osb_bgcookie|rbtool)=[^\x20\x26\x3b]{1}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33177; reference:cve,2008-5448; classtype:attempted-user; sid:15262; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup exec_qr command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; content:"rbtool"; pcre:"/(ora_osb_bgcookie|rbtool)=[^\x20\x26\x3b]{1}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33177; reference:cve,2008-5448; classtype:attempted-user; sid:15261; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup login.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-5449; classtype:attempted-admin; sid:15258; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup common.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"common.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4006; classtype:attempted-admin; sid:15257; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE BPEL process manager XSS injection attempt"; flow:to_server,established; http_uri; content:"/BPELConsole/default/activities.jsp?",nocase; content:"'",distance 0; metadata:policy balanced-ips drop; service:http; reference:cve,2008-4014; reference:url,www.securityfocus.com/archive/1/500060; classtype:web-application-attack; sid:15256; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 ( msg:"SERVER-ORACLE Oracle database SYS.LT.FINDRICSET SQL injection attempt"; flow:to_server,established; content:"SYS.LT.FINDRICSET",nocase; content:"''|7C 7C|",distance 0; pcre:"/SYS\.LT\.FINDRICSET\([^,\)]*\'\'\|\|/si"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,26098; reference:cve,2007-5511; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html; classtype:attempted-admin; sid:13366; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS",distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:3; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server Workspace Manager multiple SQL injection attempt"; flow:to_server,established; content:"GRAN|FF|T EXECUTE ON VZJSQ TO PUBLIC"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15722; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 ( msg:"SERVER-ORACLE Oracle Database DBMS TNS Listener denial of service attempt"; flow:to_server,established; content:"|00 00 02 D4 20 08 FF 03 01 00 12|44444"; content:"|BC C3 CC 07 00 00 00 00|",distance 0; content:"|00 00 00 00 00 00 00 00 89 C0 B1 C3 08 1D|",within 14,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0991; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:attempted-dos; sid:17055; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [6000:6199] ( msg:"SERVER-ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt"; flow:to_server,established; content:"HTTP",nocase; content:"%n%s%n%s%n%s"; pcre:"/^(GET|POST|HEAD)\s+[^\x25\r\n]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0993; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:attempted-admin; sid:17669; rev:6; )
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Secure Backup exec_qr command injection attempt"; flow:to_client,established; content:"|02 07 02 03 01 00 01 A3 81 88 30 81 85 30 1D 06 03 55 1D 0E 04 16 04 14 BE CA 3E 52 2D 3D CE 89|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-5448; classtype:attempted-user; sid:24907; rev:1; )
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Secure Backup exec_qr command injection attempt"; flow:to_client,established; content:"|02 07 02 03 01 00 01 A3 81 88 30 81 85 30 1D 06 03 55 1D 0E 04 16 04 14 BE CA 3E 52 2D 3D CE 89|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-5448; classtype:attempted-user; sid:24907; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 497 ( msg:"SERVER-OTHER EMC Dantz Retrospect Backup Agent denial of service attempt"; flow:to_server,established; content:"|87 00 00|",depth 3,offset 1; content:"|00 00 00 00|",within 4,distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:cve,2006-0995; classtype:denial-of-service; sid:16039; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER IPP Application Content"; flow:to_server,established; content:"Content-Type|3A|",nocase; content:"application/ipp",distance 1,nocase; flowbits:set,ipp.application; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; sid:17534; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER IPP Application Content"; flow:to_server,established; content:"Content-Type|3A|",nocase; content:"application/ipp",distance 1,nocase; flowbits:set,ipp.application; flowbits:noalert; service:http; classtype:protocol-command-decode; sid:17534; rev:8; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER CA ARCServ NetBackup remote file upload attempt"; flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,28616; reference:cve,2008-1329; reference:url,secunia.com/advisories/25606/; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105; classtype:web-application-activity; sid:13839; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4888 ( msg:"SERVER-OTHER Symantec Veritas Storage Scheduler Service NULL Session auth bypass attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00|",within 2,distance 34; metadata:policy balanced-ips drop,policy security-ips drop,service ident; reference:bugtraq,30596; reference:cve,2008-3703; classtype:attempted-user; sid:14768; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt"; flow:to_server,established; flowbits:isset,ipp.application; content:"printer-uri",nocase; content:"ipp://",within 6,distance 2; pcre:"/(((c|l)pi\x00.{1}(-\d|0)\x21)|(columns\x00.{1}(-\d|0)\x21)|(page-(right|left|top|bottom)\x00.{1}(-\d|0|([3-9]\d{5}|24\d{4}|236\d{3}|23593\d{1}|23592[2-9])\x21)))/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31690; reference:cve,2008-3640; classtype:attempted-user; sid:17535; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4888 ( msg:"SERVER-OTHER Symantec Veritas Storage Scheduler Service NULL Session auth bypass attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00|",within 2,distance 34; metadata:policy balanced-ips drop,policy security-ips drop; service:ident; reference:bugtraq,30596; reference:cve,2008-3703; classtype:attempted-user; sid:14768; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt"; flow:to_server,established; flowbits:isset,ipp.application; content:"printer-uri",nocase; content:"ipp://",within 6,distance 2; pcre:"/(((c|l)pi\x00.{1}(-\d|0)\x21)|(columns\x00.{1}(-\d|0)\x21)|(page-(right|left|top|bottom)\x00.{1}(-\d|0|([3-9]\d{5}|24\d{4}|236\d{3}|23593\d{1}|23592[2-9])\x21)))/is"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31690; reference:cve,2008-3640; classtype:attempted-user; sid:17535; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 77 Attempt"; flow:to_server,established; content:"|00 4D|",depth 2; byte_test:2,>,23,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18291; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 84 Attempt"; flow:to_server,established; content:"|00 54|",depth 2; byte_test:2,>,255,4,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18292; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"SERVER-OTHER HP OpenView Storage Data Protector Stack Buffer Overflow"; flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|"; content:"|01 00 31 00 00 00 01 00 32 00 00 00 01 00 33 00|",within 16; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-2280; reference:cve,2007-2881; classtype:attempted-admin; sid:18587; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"SERVER-OTHER HP OpenView Storage Data Protector Stack Buffer Overflow"; flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|",depth 72; content:"|20 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 00 00 20 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-2280; reference:cve,2007-2881; classtype:attempted-admin; sid:17530; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView Network Node Manager ovlaunch host field overflow attempt"; flow:to_server,established; http_uri; content:"ovlaunch.exe",nocase; pkt_data; content:"host|3A|",nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33668; reference:cve,2008-4562; classtype:attempted-user; sid:16204; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|",nocase; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26741; reference:cve,2007-6204; reference:cve,2008-0067; classtype:attempted-user; sid:13161; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView Network Node Manager ovlaunch host field overflow attempt"; flow:to_server,established; http_uri; content:"ovlaunch.exe",nocase; pkt_data; content:"host|3A|",nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33668; reference:cve,2008-4562; classtype:attempted-user; sid:16204; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|",nocase; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26741; reference:cve,2007-6204; reference:cve,2008-0067; classtype:attempted-user; sid:13161; rev:8; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 ( msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|",depth 4; content:"|00 00 00 03|",within 4,distance 8; content:"|00 00 00 04|",within 4; byte_test:4,>,0x10000,504,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24333; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 ( msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|",depth 4; content:"|00 00 00 55|",within 4,distance 8; content:"|00 00 00 16|",within 4; byte_test:4,>,0x10000,467,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24332; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 ( msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|",depth 4; content:"|00 00 00 55|",within 4,distance 8; content:"|00 00 00 01|",within 4; byte_test:4,>,0x10000,405,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24331; rev:2; )
@@ -3627,23 +3627,23 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 ( msg:"SERVER-OTHER HP Data Protec
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 ( msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|",depth 2; content:"|02 02 02 32 06 00 00 00|",within 8,distance 2; isdataat:104,relative; content:"|30 03|",within 2,distance 104; isdataat:210,relative; content:!"|00|",within 1500,distance 210; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23980; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 ( msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|",depth 2; content:"|02 02 02 32 06 00 00 00|",within 8,distance 2; isdataat:104,relative; content:"|10 03|",within 2,distance 104; isdataat:210,relative; content:!"|00|",within 1500,distance 210; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23979; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 ( msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|",depth 2; content:"|02 02 02 32 06 00 00 00|",within 8,distance 2; isdataat:104,relative; content:"|20 03|",within 2,distance 104; isdataat:210,relative; content:!"|00|",within 1500,distance 210; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23632; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x37-\x40\x43]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x35\x36\x41\x42\x44-\x49]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2941; classtype:attempted-admin; sid:23139; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x35\x36\x41\x42\x44-\x49]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x37-\x40\x43]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2941; classtype:attempted-admin; sid:23138; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x37-\x40\x43]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x35\x36\x41\x42\x44-\x49]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-2941; classtype:attempted-admin; sid:23139; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x35\x36\x41\x42\x44-\x49]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x37-\x40\x43]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-2941; classtype:attempted-admin; sid:23138; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 16388 ( msg:"SERVER-OTHER Iron Mountain connected backup opcode 13 processing command injection attempt"; flow:to_server,established; content:"<Popupmessage>",nocase; content:"<type>13</type>",within 50,nocase; content:"<NotificationText",within 50,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,50884; reference:cve,2011-2397; reference:url,osvdb.org/show/osvdb/77495; classtype:misc-attack; sid:22952; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 912 ( msg:"SERVER-OTHER VMWare authorization service user credential parsing DoS attempt"; flow:to_server,established; content:"USER",depth 4; content:"PASS",distance 0; pcre:"/(USER|PASS)[^\x80-\xff]*[\x80-\xff]/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,36630; reference:cve,2009-3707; classtype:attempted-dos; sid:20058; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt"; flow:to_server,established; content:"CRAM-MD5|04 84 FF FF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service ldap; reference:cve,2011-1206; reference:url,www-304.ibm.com/support/docview.wss?uid=swg21496117; classtype:attempted-admin; sid:19938; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt"; flow:to_server,established; content:"CRAM-MD5|04 84 FF FF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop; service:ldap; reference:cve,2011-1206; reference:url,www-304.ibm.com/support/docview.wss?uid=swg21496117; classtype:attempted-admin; sid:19938; rev:6; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 8082 ( msg:"SERVER-OTHER McAfee ePolicy Orchestrator Framework Services log handling format string attempt"; content:"Type=|22|AgentWakeup|22|"; content:"|22 FA E5|"; content:"|8F|",within 212,distance 20; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,28228; reference:cve,2008-1357; reference:url,knowledge.mcafee.com/article/234/615103_f.sal_public.html; classtype:attempted-admin; sid:13631; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 10001 ( msg:"SERVER-OTHER Zend Server Java Bridge remote code execution attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 0C|CreateObject|00 00 00 02|",depth 24,offset 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,47060; reference:url,osvdb.org/show/osvdb/71420; classtype:attempted-admin; sid:18753; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 19300 ( msg:"SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt"; flow:to_server,established; content:"Authorization",offset 0,nocase; content:"Basic",within 50,nocase; content:"Y3hzZGs6a2RzeGM=",within 100,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38084; reference:cve,2010-0557; classtype:attempted-admin; sid:17207; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-OTHER Oracle BEA Weblogic server console-help.portal cross-site scripting attempt"; flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal",nocase; content:"searchQuery|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35673; reference:cve,2009-1975; classtype:attempted-user; sid:16710; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SERVER-OTHER IBM DB2 Database Server invalid data stream denial of service attempt"; flow:to_server,established; content:"|24 14|"; byte_test:1,=,0xd0,-8,relative; byte_test:1,&,4,-7,relative; byte_test:1,!&,3,-7,relative; metadata:policy balanced-ips drop,policy security-ips drop,service drda; reference:bugtraq,33258; reference:cve,2009-0173; classtype:attempted-dos; sid:16341; rev:4; )
-alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 ( msg:"SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt"; flow:to_server; dsize:>200; content:"|01|",depth 1,offset 49; byte_test:4,>,200,14,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service ntp; reference:bugtraq,35017; reference:cve,2009-1252; classtype:attempted-admin; sid:15514; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 19300 ( msg:"SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt"; flow:to_server,established; content:"Authorization",offset 0,nocase; content:"Basic",within 50,nocase; content:"Y3hzZGs6a2RzeGM=",within 100,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38084; reference:cve,2010-0557; classtype:attempted-admin; sid:17207; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-OTHER Oracle BEA Weblogic server console-help.portal cross-site scripting attempt"; flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal",nocase; content:"searchQuery|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35673; reference:cve,2009-1975; classtype:attempted-user; sid:16710; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SERVER-OTHER IBM DB2 Database Server invalid data stream denial of service attempt"; flow:to_server,established; content:"|24 14|"; byte_test:1,=,0xd0,-8,relative; byte_test:1,&,4,-7,relative; byte_test:1,!&,3,-7,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:drda; reference:bugtraq,33258; reference:cve,2009-0173; classtype:attempted-dos; sid:16341; rev:4; )
+alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 ( msg:"SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt"; flow:to_server; dsize:>200; content:"|01|",depth 1,offset 49; byte_test:4,>,200,14,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; service:ntp; reference:bugtraq,35017; reference:cve,2009-1252; classtype:attempted-admin; sid:15514; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 ( msg:"SERVER-OTHER Symantec Alert Management System Intel Alert Originator Service buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF FF FF|",depth 8; content:"|00 00 00 00 00 00 00 00|",within 8,distance 10; content:"|03|",within 1,distance 23; content:"BIND",within 4,distance 8; content:"BIND|00|",within 5,distance 17,fast_pattern; byte_test:2,>,0x400,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34672; reference:cve,2009-1430; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02; classtype:attempted-admin; sid:15555; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1718 ( msg:"SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt"; flow:to_server,established; content:"|01|?/|05|%*",depth 6; pcre:"/^\x01\x3F\x2F\x05\x25\x2A[^\x0D\x0A]{300}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2008-0127; reference:url,www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06; classtype:attempted-admin; sid:15882; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 554 ( msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETER heap buffer overflow attempt"; flow:to_server,established; content:"SET_PARAMETER",depth 13; content:"DataConvertBuffer",distance 0,nocase; pcre:"/\x0a\x0d?\x0a[A-Z0-9\x2b\x2f\s]*[^A-Z0-9\x2b\x2f\s\x3d]/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15573; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 554 ( msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETER heap buffer overflow attempt"; flow:to_server,established; content:"SET_PARAMETER",depth 13; content:"DataConvertBuffer",distance 0,nocase; pcre:"/\x0a\x0d?\x0a[A-Z0-9\x2b\x2f\s]*[^A-Z0-9\x2b\x2f\s\x3d]/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15573; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 ( msg:"SERVER-OTHER CA ARCServe Backup Discovery Service denial of service attempt"; flow:to_server,established; content:"h|00 00 00|",depth 4; content:"|FF FF FF|s",depth 4,offset 58; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,28927; reference:cve,2008-1979; reference:url,www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36440; classtype:attempted-dos; sid:16071; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|06|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15146; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|02|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15145; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|06|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15146; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|02|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15145; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 ( msg:"SERVER-OTHER Firebird Database Server username handling buffer overflow"; flow:to_server,established; content:"|00 00 00 13|",depth 4; content:"|1C|",within 80; byte_test:1,>,0x81,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,27467; reference:cve,2008-0467; classtype:attempted-admin; sid:13522; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1584 ( msg:"SERVER-OTHER IBM Tivoli Storage Manager Client dsmagent.exe NodeName length buffer overflow attempt"; flow:to_server,established; content:"|08 A5 00 01|",depth 4,offset 2; pcre:"/^.{2}\x08\xa5\x00\x01.{14}(([^\x00]|\x00[\x81-\xFF])|.{4}([^\x00]|\x00[\x81-\xFF]))/s"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34803; reference:cve,2008-4828; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21384389; classtype:attempted-admin; sid:16685; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 910 ( msg:"SERVER-OTHER DATAC RealWin SCADA System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg",depth 4; isdataat:426,relative; content:!"|10 23|Tg",within 412,distance 14; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31418; reference:bugtraq,46937; reference:cve,2008-4322; reference:cve,2011-1563; classtype:attempted-user; sid:14769; rev:3; )
@@ -3654,7 +3654,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 407 ( msg:"SERVER-OTHER Motorola Timbuk
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER CA BrightStor ARCServer malicious fileupload attempt"; flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~",nocase; pcre:"/^((\.\.\/|\.\.\\).*|(\.(exe|dll)))~~/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,24348; reference:cve,2007-5005; classtype:attempted-admin; sid:12667; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 54345 ( msg:"SERVER-OTHER HP Mercury Loadrunner command line buffer overflow"; flow:to_server,established; content:"|00 00 00 05 00 00 00 01|"; byte_jump:4, -12, relative; byte_jump:4, 4, relative, align; byte_test:4, >, 1132, 0, relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,22487; reference:cve,2007-0446; classtype:attempted-admin; sid:10187; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 ( msg:"SERVER-OTHER CA BrightStor LGServer Heap buffer overflow"; flow:to_server,established; content:"N=,|1B|",depth 4; isdataat:1000; content:!"N=,|1B|",within 996; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,22340; reference:cve,2007-0449; classtype:attempted-admin; sid:12078; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7205:7211 ( msg:"SERVER-OTHER Novell GroupWise WebAccess authentication overflow"; flow:to_server,established; content:"Authorization",nocase; content:"Basic",distance 0,nocase; pcre:"/Authorization\s*\x3A\s*Basic\s*[^\n]{437}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23556; reference:cve,2007-2171; classtype:attempted-admin; sid:10998; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7205:7211 ( msg:"SERVER-OTHER Novell GroupWise WebAccess authentication overflow"; flow:to_server,established; content:"Authorization",nocase; content:"Basic",distance 0,nocase; pcre:"/Authorization\s*\x3A\s*Basic\s*[^\n]{437}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23556; reference:cve,2007-2171; classtype:attempted-admin; sid:10998; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 9111 ( msg:"SERVER-OTHER HP StorageWorks file migration agent buffer overflow attempt"; flow:to_server,established; content:"_RRP|00 01 00 00 22 00 02 00 01 00|",depth 14; content:"<FtpPath>"; content:!"</FtpPath>",within 266; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,osvdb.org/show/osvdb/84102; classtype:attempted-admin; sid:24686; rev:2; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|00 00 02 40|",depth 4; content:"|00 00 00 00|",within 4,distance 18; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24741; rev:1; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|01 00 02 40|",depth 4; content:"|00 00 00 00|",within 4,distance 18; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24742; rev:1; )
@@ -3676,7 +3676,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisi
 alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|19 00 02 40|",depth 4; content:"|00 00 00 00|",within 4,distance 19; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24758; rev:1; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|1A 00 02 40|",depth 4; content:"|00 00 00 00|",within 4,distance 18; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24759; rev:1; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 6905 ( msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|1B 00 02 40|",depth 4; content:"|00 00 00 00|",within 4,distance 18; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24760; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER lighthttpd connection header denial of service attempt"; flow:to_server,established; http_header; content:"Connection|3A|"; content:",,",distance 0,fast_pattern; pcre:"/^Connection\x3A\s*[^\r\n]*?\x2c\x2c/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5533; classtype:denial-of-service; sid:24805; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER lighthttpd connection header denial of service attempt"; flow:to_server,established; http_header; content:"Connection|3A|"; content:",,",distance 0,fast_pattern; pcre:"/^Connection\x3A\s*[^\r\n]*?\x2c\x2c/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-5533; classtype:denial-of-service; sid:24805; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 ( msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|",depth 4; content:"|00 00 00 32|",within 4,distance 8; content:"|00 00 00 02|",within 4; byte_test:4,>,0x10000,184,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24738; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [514,2401] ( msg:"SERVER-OTHER CVS annotate command buffer overflow attempt"; flow:to_server,established; content:"Entry|20 2F|"; content:"annotate|0A|",distance 0,fast_pattern; pcre:"/Entry\x20\x2f[^\x2f]*\x2f[^\x2f]{68}/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13217; reference:cve,2005-0573; classtype:attempted-dos; sid:20060; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [1533,8082] ( msg:"SERVER-OTHER IBM Lotus Sametime multiplexer stack buffer overflow attempt"; flow:to_server,established; content:"POST",depth 4,nocase; content:"/CommunityCBR/CC."; pcre:"/^[\da-f]+\.[^\s]{41}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,29328; reference:cve,2008-2499; classtype:attempted-admin; sid:13902; rev:8; )
@@ -3686,289 +3686,289 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 ( msg:"SERVER-OTHER Symantec Aler
 alert tcp $EXTERNAL_NET any -> $HOME_NET 4662 ( msg:"SERVER-OTHER Xi Software Net Transport eDonkey Protocol Buffer Overflow attempt"; flow:to_server,established; content:"|E3|",depth 1; content:"|01|",within 1,distance 4; content:"|74 65 73 74 03 01 00 11 3C 00|",within 10,distance 32,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,40617; classtype:attempted-user; sid:17607; rev:2; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 921 ( msg:"SERVER-OTHER Wireshark LWRES Dissector getaddrsbyname buffer overflow attempt"; flow:to_server; content:"|00 00 01 5D 00 00 00 00|",depth 8; content:"|00 01 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 01|",within 24,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,37985; reference:cve,2010-0304; classtype:attempted-dos; sid:17544; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 ( msg:"SERVER-OTHER Firebird database invalid state memory corruption"; flow:to_server,established; content:"|00 00 00 18 00 00 61 61 00 00 61 61|",depth 12; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,27403; reference:cve,2008-0387; classtype:attempted-dos; sid:17556; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 ( msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09 6B 5D 64 67 5D 86 54 D0 F4 27 EF 2B 32 CA A3 D3 FA 97 AA 40 14 ED 27 15 D2 9B 06 EA 07 09 7D B8 D2 61 69 CD 6D 74 52 F9 8A|",depth 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service ssl; reference:cve,2008-0457; reference:url,seer.entsupport.symantec.com/docs/297171.htm; classtype:misc-activity; sid:17445; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 ( msg:"SERVER-OTHER Alt-N MDaemon WorldClient invalid user"; flow:to_server,established; content:"ComposeUser=Anyinvaliduser",depth 26,offset 150,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2631; classtype:attempted-dos; sid:17225; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 ( msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09|k]dg]|86|T|D0 F4|'|EF|+2|CA A3 D3 FA 97 AA|@|14 ED|'|15 D2 9B 06 EA 07 09|}|B8 D2|ai|CD|mtR|F9 8A|",depth 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service ssl; reference:cve,2008-0457; classtype:misc-activity; sid:16196; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"SERVER-OTHER IBM Lotus Domino LDAP server invalid DN message buffer overflow attempt"; flow:to_server,established; content:"0|84 00 01 00|5|02 01 04|h|84 00 01 00|,|04 84 00 01 00| cn="; metadata:policy balanced-ips drop,policy security-ips drop,service ldap; reference:bugtraq,23174; reference:cve,2007-1739; classtype:attempted-user; sid:16017; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 ( msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09 6B 5D 64 67 5D 86 54 D0 F4 27 EF 2B 32 CA A3 D3 FA 97 AA 40 14 ED 27 15 D2 9B 06 EA 07 09 7D B8 D2 61 69 CD 6D 74 52 F9 8A|",depth 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:ssl; reference:cve,2008-0457; reference:url,seer.entsupport.symantec.com/docs/297171.htm; classtype:misc-activity; sid:17445; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 ( msg:"SERVER-OTHER Alt-N MDaemon WorldClient invalid user"; flow:to_server,established; content:"ComposeUser=Anyinvaliduser",depth 26,offset 150,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-2631; classtype:attempted-dos; sid:17225; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 ( msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09|k]dg]|86|T|D0 F4|'|EF|+2|CA A3 D3 FA 97 AA|@|14 ED|'|15 D2 9B 06 EA 07 09|}|B8 D2|ai|CD|mtR|F9 8A|",depth 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:ssl; reference:cve,2008-0457; classtype:misc-activity; sid:16196; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 389 ( msg:"SERVER-OTHER IBM Lotus Domino LDAP server invalid DN message buffer overflow attempt"; flow:to_server,established; content:"0|84 00 01 00|5|02 01 04|h|84 00 01 00|,|04 84 00 01 00| cn="; metadata:policy balanced-ips drop,policy security-ips drop; service:ldap; reference:bugtraq,23174; reference:cve,2007-1739; classtype:attempted-user; sid:16017; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 ( msg:"SERVER-OTHER Veritas Backup Agent password overflow attempt"; flow:to_server,established; content:"|00 00 09 01|",depth 4,offset 16; content:"|00 00 00 03|",depth 4,offset 28; byte_test:4,>,1000,32; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:cve,2005-0773; classtype:attempted-admin; sid:13846; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/administrator.cfc"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25266; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/Administrator/scheduler/scheduleedit.cfm"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25267; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER CakePHP unserialize method vulnerability exploitation attempt"; flow:to_server,established; http_client_body; content:"data%5b_Token%5d%5bkey%5d="; content:"&data%5b_Token%5d%5bfields%5d=",within 50; content:"&_method=POST",distance 0; content:"..%2Fgzc%2Fpnpur%2Fcrefvfgrag%2Fpnxr_pber_svyr_znc"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-4335; classtype:attempted-admin; sid:25370; rev:1; )
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client; content:"|31 32 33 34 35 36 37 38 39 09 63 63 63 63 63 63 63 63 63 09 64 64 64 64|"; metadata:policy balanced-ips drop,policy security-ips drop,service dns; reference:cve,2011-1889; classtype:attempted-admin; sid:25381; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Web Start BasicService arbitrary command execution attempt"; flow:to_client,established; file_data; content:"javax.jnlp.BasicService"; content:"file|3A 5C 5C|",nocase; content:"showDocument",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4910; classtype:attempted-user; sid:20249; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; http_header; content:"application/json"; pkt_data; content:"!ruby/hash"; content:"ActionController",within 30; content:"NamedRouteCollection",within 90; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/administrator.cfc"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25266; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/Administrator/scheduler/scheduleedit.cfm"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25267; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER CakePHP unserialize method vulnerability exploitation attempt"; flow:to_server,established; http_client_body; content:"data%5b_Token%5d%5bkey%5d="; content:"&data%5b_Token%5d%5bfields%5d=",within 50; content:"&_method=POST",distance 0; content:"..%2Fgzc%2Fpnpur%2Fcrefvfgrag%2Fpnxr_pber_svyr_znc"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-4335; classtype:attempted-admin; sid:25370; rev:1; )
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client; content:"|31 32 33 34 35 36 37 38 39 09 63 63 63 63 63 63 63 63 63 09 64 64 64 64|"; metadata:policy balanced-ips drop,policy security-ips drop; service:dns; reference:cve,2011-1889; classtype:attempted-admin; sid:25381; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Web Start BasicService arbitrary command execution attempt"; flow:to_client,established; file_data; content:"javax.jnlp.BasicService"; content:"file|3A 5C 5C|",nocase; content:"showDocument",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4910; classtype:attempted-user; sid:20249; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; http_header; content:"application/json"; pkt_data; content:"!ruby/hash"; content:"ActionController",within 30; content:"NamedRouteCollection",within 90; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 ( msg:"SERVER-OTHER RaySharp CCTV derivative command injection attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_NET_SetPppoeAttr",depth 40,fast_pattern; content:"udhcpc",distance 0; pcre:"/\x3b\s*udhcpc\s*\x3b.*\x26/smi"; metadata:policy balanced-ips drop; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25557; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|schemas|3A|device|3A|"; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|",within 180; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|schemas|3A|device|3A|"; content:"|3A|",within 20; isdataat:200,relative; content:!"|0D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5961; classtype:attempted-admin; sid:25601; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|"; content:!"|3A 3A|upnp|3A|rootdevice",within 200; content:"|3A 3A|upnp|3A|rootdevice"; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5960; classtype:attempted-admin; sid:25612; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"|3A|device|3A|"; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5965; classtype:attempted-admin; sid:25617; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"|3A|service|3A|"; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5964; classtype:attempted-admin; sid:25618; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|"; content:"uuid|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5963; classtype:attempted-admin; sid:25619; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|"; content:"uuid|3A|"; isdataat:190,relative; content:!"|3A 3A|",within 190; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2012-5959; classtype:attempted-admin; sid:25620; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|"; content:!"|0D|",within 512; metadata:policy balanced-ips drop,policy security-ips drop,service ssdp; reference:cve,2013-0229; classtype:denial-of-service; sid:25664; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:established,to_server; http_header; content:"SOAPAction|3A|"; pcre:"/SOAPAction\x3A\s*?\x22[^\x22\x23]+?\x23([^\x22]{2048}|[^\x22]+$)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0230; reference:cve,2013-1462; classtype:attempted-admin; sid:25780; rev:1; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Ubisoft Uplay browser plugin backdoor attempt"; flow:to_client,established; file_data; content:"|2E|open|28|"; content:"-orbit_product_id 1",distance 0; content:"-orbit_exe_path"; content:"-uplay_steam_mode"; content:"-uplay_dev_mode"; content:"-uplay_dev_mode_auto_play"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4177; reference:url,news.ycombinator.com/item?id=4311264; reference:url,osvdb.org/show/osvdb/84402; reference:url,seclists.org/fulldisclosure/2012/Jul/375; classtype:attempted-user; sid:23624; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] ( msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|",depth 12,offset 4; byte_test:1,>=,0x0c,55,relative; byte_test:1,<=,0x0d,55,relative; byte_test:4,>,256,106,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2013-1592; reference:url,osvdb.org/show/osvdb/90238; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26073; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] ( msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|",depth 12,offset 4; content:"|05|",within 1,distance 55; content:"AD-EYECATCH|00|",within 12,distance 42; content:"|15|",within 1,distance 24; byte_test:1,>,78,6,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2013-1593; reference:url,osvdb.org/show/osvdb/90237; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26074; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|schemas|3A|device|3A|"; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|",within 180; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|schemas|3A|device|3A|"; content:"|3A|",within 20; isdataat:200,relative; content:!"|0D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5961; classtype:attempted-admin; sid:25601; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|"; content:!"|3A 3A|upnp|3A|rootdevice",within 200; content:"|3A 3A|upnp|3A|rootdevice"; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5960; classtype:attempted-admin; sid:25612; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"|3A|device|3A|"; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5965; classtype:attempted-admin; sid:25617; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"|3A|service|3A|"; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5964; classtype:attempted-admin; sid:25618; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|"; content:"uuid|3A|"; isdataat:190,relative; content:!"|0D|",within 190; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5963; classtype:attempted-admin; sid:25619; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|uuid|3A|"; content:"uuid|3A|"; isdataat:190,relative; content:!"|3A 3A|",within 190; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2012-5959; classtype:attempted-admin; sid:25620; rev:1; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ST|3A|"; content:!"|0D|",within 512; metadata:policy balanced-ips drop,policy security-ips drop; service:ssdp; reference:cve,2013-0229; classtype:denial-of-service; sid:25664; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:established,to_server; http_header; content:"SOAPAction|3A|"; pcre:"/SOAPAction\x3A\s*?\x22[^\x22\x23]+?\x23([^\x22]{2048}|[^\x22]+$)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0230; reference:cve,2013-1462; classtype:attempted-admin; sid:25780; rev:1; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Ubisoft Uplay browser plugin backdoor attempt"; flow:to_client,established; file_data; content:"|2E|open|28|"; content:"-orbit_product_id 1",distance 0; content:"-orbit_exe_path"; content:"-uplay_steam_mode"; content:"-uplay_dev_mode"; content:"-uplay_dev_mode_auto_play"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4177; reference:url,news.ycombinator.com/item?id=4311264; reference:url,osvdb.org/show/osvdb/84402; reference:url,seclists.org/fulldisclosure/2012/Jul/375; classtype:attempted-user; sid:23624; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] ( msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|",depth 12,offset 4; byte_test:1,>=,0x0c,55,relative; byte_test:1,<=,0x0d,55,relative; byte_test:4,>,256,106,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2013-1592; reference:url,osvdb.org/show/osvdb/90238; reference:url,.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26073; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] ( msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|",depth 12,offset 4; content:"|05|",within 1,distance 55; content:"AD-EYECATCH|00|",within 12,distance 42; content:"|15|",within 1,distance 24; byte_test:1,>,78,6,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2013-1593; reference:url,osvdb.org/show/osvdb/90237; reference:url,.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26074; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 ( msg:"SERVER-OTHER MongoDB nativeHelper.apply method command injection attempt"; flow:to_server,established; content:"nativeHelper.apply("; pcre:"/nativeHelper\.apply\(\s*?\{\s*?[\x22\x27]\s*?x\s*?[\x22\x27]\s*?:\s*?(0x)?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,58695; reference:cve,2013-1892; reference:url,osvdb.org/show/osvdb/91632; classtype:attempted-admin; sid:26262; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"angle="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26314; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"quality="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26315; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"clipval="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26316; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"angle="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26314; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"quality="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26315; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"clipval="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26316; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] ( msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSafeTest/"; byte_test:4,>=,4140,8; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; reference:url,osvdb.org/show/osvdb/89917; classtype:attempted-admin; sid:26333; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] ( msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSupportTest/"; byte_test:4,>=,4143,8; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; reference:url,osvdb.org/show/osvdb/89917; classtype:attempted-admin; sid:26334; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] ( msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra snmp request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/network/snmp/traps/testTrap"; byte_test:4,>,1066,8; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2012-3284; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; reference:url,osvdb.org/show/osvdb/89920; classtype:attempted-admin; sid:26336; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 ( msg:"SERVER-OTHER Squid proxy Accept-Language denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Language|3A 20 2C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1839; classtype:denial-of-service; sid:26379; rev:1; )
-alert tcp any any -> $HOME_NET 23 ( msg:"SERVER-OTHER Polycom HDX authorization bypass attempt"; flow:to_server,established; content:"setenv othbootargs |22|devboot=bogus|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service telnet; reference:bugtraq,58523; classtype:attempted-admin; sid:26386; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 ( msg:"SERVER-OTHER Squid proxy Accept-Language denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Language|3A 20 2C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1839; classtype:denial-of-service; sid:26379; rev:1; )
+alert tcp any any -> $HOME_NET 23 ( msg:"SERVER-OTHER Polycom HDX authorization bypass attempt"; flow:to_server,established; content:"setenv othbootargs |22|devboot=bogus|22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:telnet; reference:bugtraq,58523; classtype:attempted-admin; sid:26386; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3916 ( msg:"SERVER-OTHER EMC data protection advisor DOS attempt"; flow:to_server,established; content:"<CXMLREQUEST>",nocase; content:"<AUTHENTICATECONNECTION>",distance 0,nocase; content:"<AUTHENTICATIONDATA>",distance 0,nocase; content:!"<PASSWORD>",distance 0,nocase; content:"</AUTHENTICATIONDATA>"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,aluigi.org/adv/dpa_1-adv.txt; reference:url,osvdb.org/show/osvdb/80814; classtype:attempted-dos; sid:21913; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 52312 ( msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Web Reports xss attempt"; flow:to_server,established; content:"ScheduleParam",nocase; pcre:"/^\x3d[^\s\x26\x0d\x0a]*?\x2527/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0719; reference:url,www.ibm.com/support/docview.wss?uid=swg21587743; classtype:attempted-user; sid:21944; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Trend Micro OfficeScan Server cgiRecvFile overflow attempt"; flow:to_server,established; http_uri; content:"/cgi/cgiRecvFile.exe"; pkt_data; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31139; reference:cve,2008-2437; classtype:attempted-admin; sid:15510; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell QuickFinder server cross-site-scripting attempt"; flow:to_server, established; http_uri; content:"AdminServlet",nocase; pcre:"/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0611; classtype:web-application-attack; sid:16522; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER IBM WebSphere application server cross site scripting attempt"; flow:to_server, established; http_uri; content:"/ibm/console/",nocase; content:"<script",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34001; reference:cve,2009-0855; classtype:misc-attack; sid:16686; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-OTHER Zango adware installation request"; flow:to_server,established; http_uri; content:"Zango/Setup.exe"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:13632; rev:4; )
-alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 ( msg:"SERVER-OTHER ISC BIND RRSIG query denial of service attempt"; content:"|03 77 77 77 04 74 65 73 74 03 63 6F 6D 00 00 2E 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service dns; reference:bugtraq,23738; reference:cve,2007-2241; classtype:attempted-dos; sid:17299; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Thinkpoint fake antivirus binary download"; flow:to_client,established; file_data; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17817; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Green Dam URL handling overflow attempt"; flow:to_client,established; file_data; content:"<=2035"; content:"window.location="; content:"'.html'|3B|",within 30,nocase; content:"classid=|22|",distance 0,nocase; content:".dll|23|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,osvdb.org/show/osvdb/55126; reference:url,secunia.com/advisories/35435; classtype:attempted-user; sid:16598; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93",nocase; content:"jnlpDocbase=|22|ABBA|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:17660; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 52312 ( msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Web Reports xss attempt"; flow:to_server,established; content:"ScheduleParam",nocase; pcre:"/^\x3d[^\s\x26\x0d\x0a]*?\x2527/iR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0719; reference:url,www.ibm.com/support/docview.wss?uid=swg21587743; classtype:attempted-user; sid:21944; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Trend Micro OfficeScan Server cgiRecvFile overflow attempt"; flow:to_server,established; http_uri; content:"/cgi/cgiRecvFile.exe"; pkt_data; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31139; reference:cve,2008-2437; classtype:attempted-admin; sid:15510; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell QuickFinder server cross-site-scripting attempt"; flow:to_server, established; http_uri; content:"AdminServlet",nocase; pcre:"/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-0611; classtype:web-application-attack; sid:16522; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER IBM WebSphere application server cross site scripting attempt"; flow:to_server, established; http_uri; content:"/ibm/console/",nocase; content:"<script",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34001; reference:cve,2009-0855; classtype:misc-attack; sid:16686; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-OTHER Zango adware installation request"; flow:to_server,established; http_uri; content:"Zango/Setup.exe"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:13632; rev:4; )
+alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 ( msg:"SERVER-OTHER ISC BIND RRSIG query denial of service attempt"; content:"|03 77 77 77 04 74 65 73 74 03 63 6F 6D 00 00 2E 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop; service:dns; reference:bugtraq,23738; reference:cve,2007-2241; classtype:attempted-dos; sid:17299; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Thinkpoint fake antivirus binary download"; flow:to_client,established; file_data; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|",within 100; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17817; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Green Dam URL handling overflow attempt"; flow:to_client,established; file_data; content:"<=2035"; content:"window.location="; content:"'.html'|3B|",within 30,nocase; content:"classid=|22|",distance 0,nocase; content:".dll|23|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,osvdb.org/show/osvdb/55126; reference:url,secunia.com/advisories/35435; classtype:attempted-user; sid:16598; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93",nocase; content:"jnlpDocbase=|22|ABBA|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:17660; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 4244 ( msg:"SERVER-OTHER MSN Messenger IRC bot calling home attempt"; flow:to_server,established; content:"PASS gooback"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=19bffa751aafa9e63420203938a0d8a9; classtype:trojan-activity; sid:15939; rev:2; )
-alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any ( msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0",depth 5; content:".014|0A|",within 5,distance 2; isdataat:1100,relative; content:!"|00|",within 1100,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26454; rev:1; )
-alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any ( msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0",depth 5; content:".016|0A|",within 5,distance 2; isdataat:1100,relative; content:!"|00|",within 1100,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26455; rev:1; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET [5800,5900:5999] ( msg:"SERVER-OTHER VNC client authentication response"; flow:to_server,established; content:"RFB 0",depth 5; content:".0",depth 2,offset 7; flowbits:set,vnc.auth; flowbits:noalert; metadata:service vnc-server; classtype:protocol-command-decode; sid:17396; rev:8; )
-alert tcp $EXTERNAL_NET [5800,5900:5999] -> $HOME_NET any ( msg:"SERVER-OTHER VNCViewer Authenticate buffer overflow attempt"; flow:to_client,established; flowbits:isset,vnc.auth; content:"|00 00 00|",depth 3; content:"|7F FF FF FF|",within 4,distance 1; pcre:"/^\x00{3}[\x00\x01]\x7f\xff{3}/m"; metadata:policy balanced-ips drop,policy security-ips drop,service vnc-server; reference:bugtraq,33568; reference:cve,2009-0388; classtype:attempted-user; sid:17397; rev:5; )
-alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<artist>",distance 0,nocase; isdataat:266,relative; content:!"</artist>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13520; rev:7; )
-alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:20110; rev:4; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Alucar php shell download attempt"; flow:to_client,established; file_data; content:"dHA6Ly9YZ3IwdXBWbi5vcmc8L2E+IHwgPGEgaHJlZj0naHR0cDovL2hjZWdyb3VwLm5ldCc+SEBjaytDckBjaz1FbmoweSE8L2E+IHwgRGVzaWduIGJ5OkFsdUNhUiB8IF0t"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:attempted-user; sid:19661; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Applet2ClassLoader Remote Code Execution"; flow:to_client,established; file_data; content:"codebase|3D 22|file|3A|",nocase; content:"code|3D 22|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:4; )
-alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:6; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,nocase; content:"xsl|3A|transform"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14040; rev:11; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",nocase; content:"xsl|3A|version"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14041; rev:13; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 ( msg:"SERVER-OTHER PostgreSQL database name command line injection attempt"; flow:established,to_server; content:"user|00|",depth 5,offset 8; content:"database|00|-",within 70; pcre:"/^.{8}user\x00[^\x00]+?\x00database\x00-[^\x00]+?\x00/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1899; reference:url,www.postgresql.org/support/security/faq/2013-04-04/; classtype:attempted-user; sid:26586; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/customtags/l10n.cfm",fast_pattern,nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59773; reference:cve,2013-3336; reference:url,www.adobe.com/support/security/advisories/apsa13-03.html; classtype:attempted-recon; sid:26621; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 skillName remote code execution attempt"; flow:to_server,established; http_uri; content:"edit.action?"; content:"skillName=|7B 28 23|"; pcre:"/skillName\x3D\x7B\x28\x23/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60082; reference:cve,2013-1965; classtype:attempted-admin; sid:26772; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action",nocase; http_client_body; content:"|25|24|25|7B",nocase; content:"|25|5FmemberAccess|25|5B|25|22allowStaticMethodAccess",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26824; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?",nocase; content:"|24 7B|",nocase; content:"_memberAccess|5B 22|allowStaticMethodAccess",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26825; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell NetIQ User Manager modifyAccounts policy bypass attempt"; flow:to_server,established; http_header; content:"application/x-amf",nocase; http_client_body; content:"|03 00 06|method|02 00 0E|modifyAccounts"; content:"|03 00 04|name|02 00 05|admin",nocase; content:"|00 0A|ACT_PASSWD|03 00 05|value",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56535; reference:url,osvdb.org/show/osvdb/87335; classtype:attempted-admin; sid:27036; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell NetIQ User Manager ldapagnt_eval remote code execution attempt"; flow:to_server,established; http_header; content:"application/x-amf",nocase; http_client_body; content:"|03 00 06|method|02 00 04|eval|00 06|module|02 00 08|ldapagnt"; content:"|00 04|Eval|03 00 07|content|02|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56539; reference:url,osvdb.org/show/osvdb/87334; classtype:attempted-admin; sid:27075; rev:1; )
+alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any ( msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0",depth 5; content:".014|0A|",within 5,distance 2; isdataat:1100,relative; content:!"|00|",within 1100,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26454; rev:1; )
+alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any ( msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0",depth 5; content:".016|0A|",within 5,distance 2; isdataat:1100,relative; content:!"|00|",within 1100,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26455; rev:1; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET [5800,5900:5999] ( msg:"SERVER-OTHER VNC client authentication response"; flow:to_server,established; content:"RFB 0",depth 5; content:".0",depth 2,offset 7; flowbits:set,vnc.auth; flowbits:noalert; service:vnc-server; classtype:protocol-command-decode; sid:17396; rev:8; )
+alert tcp $EXTERNAL_NET [5800,5900:5999] -> $HOME_NET any ( msg:"SERVER-OTHER VNCViewer Authenticate buffer overflow attempt"; flow:to_client,established; flowbits:isset,vnc.auth; content:"|00 00 00|",depth 3; content:"|7F FF FF FF|",within 4,distance 1; pcre:"/^\x00{3}[\x00\x01]\x7f\xff{3}/m"; metadata:policy balanced-ips drop,policy security-ips drop; service:vnc-server; reference:bugtraq,33568; reference:cve,2009-0388; classtype:attempted-user; sid:17397; rev:5; )
+alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<artist>",distance 0,nocase; isdataat:266,relative; content:!"</artist>",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0065; classtype:attempted-user; sid:13520; rev:7; )
+alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0065; classtype:attempted-user; sid:20110; rev:4; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Alucar php shell download attempt"; flow:to_client,established; file_data; content:"dHA6Ly9YZ3IwdXBWbi5vcmc8L2E+IHwgPGEgaHJlZj0naHR0cDovL2hjZWdyb3VwLm5ldCc+SEBjaytDckBjaz1FbmoweSE8L2E+IHwgRGVzaWduIGJ5OkFsdUNhUiB8IF0t"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:attempted-user; sid:19661; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER Oracle Java Applet2ClassLoader Remote Code Execution"; flow:to_client,established; file_data; content:"codebase|3D 22|file|3A|",nocase; content:"code|3D 22|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:4; )
+alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:6; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,nocase; content:"xsl|3A|transform"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14040; rev:11; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",nocase; content:"xsl|3A|version"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14041; rev:13; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 ( msg:"SERVER-OTHER PostgreSQL database name command line injection attempt"; flow:established,to_server; content:"user|00|",depth 5,offset 8; content:"database|00|-",within 70; pcre:"/^.{8}user\x00[^\x00]+?\x00database\x00-[^\x00]+?\x00/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1899; reference:url,www.postgresql.org/support/security/faq/2013-04-04/; classtype:attempted-user; sid:26586; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/customtags/l10n.cfm",fast_pattern,nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,59773; reference:cve,2013-3336; reference:url,www.adobe.com/support/security/advisories/apsa13-03.html; classtype:attempted-recon; sid:26621; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 skillName remote code execution attempt"; flow:to_server,established; http_uri; content:"edit.action?"; content:"skillName=|7B 28 23|"; pcre:"/skillName\x3D\x7B\x28\x23/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60082; reference:cve,2013-1965; classtype:attempted-admin; sid:26772; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action",nocase; http_client_body; content:"|25|24|25|7B",nocase; content:"|25|5FmemberAccess|25|5B|25|22allowStaticMethodAccess",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26824; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?",nocase; content:"|24 7B|",nocase; content:"_memberAccess|5B 22|allowStaticMethodAccess",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26825; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell NetIQ User Manager modifyAccounts policy bypass attempt"; flow:to_server,established; http_header; content:"application/x-amf",nocase; http_client_body; content:"|03 00 06|method|02 00 0E|modifyAccounts"; content:"|03 00 04|name|02 00 05|admin",nocase; content:"|00 0A|ACT_PASSWD|03 00 05|value",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56535; reference:url,osvdb.org/show/osvdb/87335; classtype:attempted-admin; sid:27036; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell NetIQ User Manager ldapagnt_eval remote code execution attempt"; flow:to_server,established; http_header; content:"application/x-amf",nocase; http_client_body; content:"|03 00 06|method|02 00 04|eval|00 06|module|02 00 08|ldapagnt"; content:"|00 04|Eval|03 00 07|content|02|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56539; reference:url,osvdb.org/show/osvdb/87334; classtype:attempted-admin; sid:27075; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"SERVER-OTHER HP OpenView Storage Data Protector - initiate connection"; flow:to_server,established; content:"H|00|P|00| |00|O|00|p|00|e|00|n|00|V|00|i|00|e|00|w|00| |00|O|00|m|00|n|00|i|00|B|00|a|00|c|00|k"; flowbits:set,hp_openview_sdp; flowbits:noalert; classtype:protocol-command-decode; sid:27121; rev:1; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 81|",depth 2; content:"|00|",within 1,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27193; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 82|",depth 2; content:"|00|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27194; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 83|",depth 2; content:"|00|",within 1,distance 3; metadata:policy balanced-ips drop,policy security-ips drop,service kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27195; rev:2; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A|",depth 1; byte_test:1,!&,0x80,0,relative; content:"|00|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:24372; rev:3; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 81|",depth 2; content:"|00|",within 1,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27193; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 82|",depth 2; content:"|00|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27194; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 83|",depth 2; content:"|00|",within 1,distance 3; metadata:policy balanced-ips drop,policy security-ips drop; service:kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:27195; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 88 ( msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A|",depth 1; byte_test:1,!&,0x80,0,relative; content:"|00|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; service:kerberos; reference:cve,2011-0283; classtype:denial-of-service; sid:24372; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 ( msg:"SERVER-OTHER HP Data Protector Manager RDS attempt"; flow:to_server,established; content:"|23 8C 29 B6|",depth 4; byte_test:4,>,0xFFFF,0,relative; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,45725; reference:cve,2011-0514; classtype:denial-of-service; sid:19159; rev:2; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 23 ( msg:"SERVER-OTHER Blue Coat Systems WinProxy telnet denial of service attempt"; flow:to_server,established; isdataat:750; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",depth 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; pcre:"/\xff{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service telnet; reference:cve,2005-3654; classtype:attempted-dos; sid:21662; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 23 ( msg:"SERVER-OTHER Blue Coat Systems WinProxy telnet denial of service attempt"; flow:to_server,established; isdataat:750; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",depth 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",within 32; pcre:"/\xff{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:telnet; reference:cve,2005-3654; classtype:attempted-dos; sid:21662; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SERVER-OTHER IBM DB2 database server CONNECT denial of service attempt"; flow:to_server,established; content:"|10|A",depth 2,offset 8; byte_jump:2, -10, relative; content:"|10|n",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2009-0172; classtype:denial-of-service; sid:15509; rev:3; )
 alert tcp $HOME_NET any -> $EXTERNAL_NET 2775 ( msg:"SERVER-OTHER Curse of Silence Nokia SMS DoS attempt"; flow:established,to_server; content:"|02|03|3A|"; content:"|09|052|3A|2|09|",distance 0; content:"|09|033|3A|"; pcre:"/\x09033\x3a(?=[^\s]+\x40[^\s]+)[^\x20\x09]{33}/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,33072; classtype:attempted-dos; sid:15572; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 554 ( msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt"; flow:to_server,established; content:"SET_PARAMETER",depth 13; content:"DataConvertBuffer",distance 0,nocase; pcre:!"/^Content-Length\s*\x3A\s*[1-9]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service rtsp; reference:bugtraq,35731; reference:cve,2009-2533; classtype:attempted-dos; sid:16709; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 554 ( msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt"; flow:to_server,established; content:"SET_PARAMETER",depth 13; content:"DataConvertBuffer",distance 0,nocase; pcre:!"/^Content-Length\s*\x3A\s*[1-9]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:rtsp; reference:bugtraq,35731; reference:cve,2009-2533; classtype:attempted-dos; sid:16709; rev:2; )
 alert udp $EXTERNAL_NET any -> $HOME_NET 623 ( msg:"SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt"; flow:to_server; content:"|06 00 FF 07 06 10 00 00 00 00 00 00 00 00|",depth 14; content:"|00 00 00 00|",within 4,distance 2; content:"|00 00 00 08 00|",within 5,distance 4,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2013-4782; reference:cve,2013-4783; reference:cve,2013-4784; reference:url,osvdb.org/show/osvdb/93038; reference:url,osvdb.org/show/osvdb/93039; reference:url,osvdb.org/show/osvdb/93040; reference:url,www.fish2.com/ipmi/cipherzero.html; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; classtype:attempted-admin; sid:27210; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Citrix XenApp password buffer overflow attempt"; flow:to_server,established; http_uri; content:"scripts/wpnbr.dll"; http_method; content:"POST"; http_client_body; content:"<RequestValidateCredentials>"; content:"<Password",distance 0; content:"encoding=|22|ctx1|22|>",within 18; isdataat:512,relative; content:!"</Password>",within 512; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48898; reference:url,support.citrix.com/article/CTX129430; classtype:attempted-admin; sid:27236; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"SERVER-OTHER GuildFTPd CWD command heap overflow attempt"; flow:to_server,established; content:"list",depth 5,nocase; dsize:>74; pcre:"/[\w]{70,}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27270; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER OpenX POST to known backdoored file"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/vastServeVideoPlayer/player.delivery.php",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-4211; reference:url,isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303; classtype:attempted-admin; sid:27578; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"SERVER-SAMBA Samba Root File System access bypass attempt"; flow:to_server,established; content:"|FF|SMB|75|",depth 5,offset 4; byte_jump:1,27,relative,multiplier 2; byte_jump:2,-2,relative,little; content:"|5C 00 5C 00|",within 4,distance 2; content:"|5C 00 00 00|",within 80; pcre:"/\x5c\x00\x5c\x00[^\x5c]*?\x5c\x00\x00\x00/"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-ssn; reference:bugtraq,33118; reference:cve,2009-0022; classtype:attempted-recon; sid:17639; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Citrix XenApp password buffer overflow attempt"; flow:to_server,established; http_uri; content:"scripts/wpnbr.dll"; http_method; content:"POST"; http_client_body; content:"<RequestValidateCredentials>"; content:"<Password",distance 0; content:"encoding=|22|ctx1|22|>",within 18; isdataat:512,relative; content:!"</Password>",within 512; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48898; reference:url,support.citrix.com/article/CTX129430; classtype:attempted-admin; sid:27236; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"SERVER-OTHER GuildFTPd CWD command heap overflow attempt"; flow:to_server,established; content:"list",depth 5,nocase; dsize:>74; pcre:"/[\w]{70,}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27270; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER OpenX POST to known backdoored file"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/vastServeVideoPlayer/player.delivery.php",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-4211; reference:url,isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303; classtype:attempted-admin; sid:27578; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"SERVER-SAMBA Samba Root File System access bypass attempt"; flow:to_server,established; content:"|FF|SMB|75|",depth 5,offset 4; byte_jump:1,27,relative,multiplier 2; byte_jump:2,-2,relative,little; content:"|5C 00 5C 00|",within 4,distance 2; content:"|5C 00 00 00|",within 80; pcre:"/\x5c\x00\x5c\x00[^\x5c]*?\x5c\x00\x00\x00/"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-ssn; reference:bugtraq,33118; reference:cve,2009-0022; classtype:attempted-recon; sid:17639; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"SERVER-SAMBA Samba spools RPC smb_io_notify_option_type_data request handling buffer overflow attempt"; flow:to_server,established; content:"SMB",nocase; content:"|9C E0 0A 00 09 00 00 00 0A 00 0B 00 0D 00 03 00 14 00 15 00 10 00 17 00 16 00 00 00|P|00 00 00|",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop; reference:cve,2007-2446; classtype:attempted-user; sid:16034; rev:3; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON",fast_pattern; pcre:"/^\x00+/R"; content:"|12 00 00 00|",within 4; pcre:"/^\x00\x00\x00\x00[^\x00]{262}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:13291; rev:6; )
-alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON",nocase; pcre:"/^\x00+/R"; content:"|12 00 00 00|",within 4; pcre:"/^\x00\x00\x00\x00[^\x00]{260}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:17661; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:24147; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows .NET Chart Control directory traversal attempt"; flow:to_server,established; content:"charImg.axd?"; http_uri; content:"i=/",distance 0; http_raw_uri; content:".."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1977; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-066; classtype:attempted-recon; sid:19694; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; http_client_body; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:18764; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Majordomo2 http directory traversal attempt"; flow:to_server,established; http_uri; content:"mj_wwwusr",fast_pattern,nocase; content:"extra=",distance 0,nocase; http_raw_uri; content:"../../.."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18761; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe ColdFusion locale directory traversal attempt"; flow:to_server,established; http_uri; content:"CFIDE",fast_pattern; pkt_data; content:"locale=",nocase; content:"../../../",distance 0; content:"%00",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42342; reference:cve,2010-2861; classtype:attempted-admin; sid:18464; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiablogon.exe"; content:"CRYPT",nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[^\r\n&]{513}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:17605; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 17000 ( msg:"SERVER-WEBAPP Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt"; flow:to_server,established; content:"GET ",depth 4,nocase; content:"evtdump?",distance 0,nocase; pcre:"/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-5440; classtype:attempted-admin; sid:15264; rev:2; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON",fast_pattern; pcre:"/^\x00+/R"; content:"|12 00 00 00|",within 4; pcre:"/^\x00\x00\x00\x00[^\x00]{262}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:13291; rev:6; )
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON",nocase; pcre:"/^\x00+/R"; content:"|12 00 00 00|",within 4; pcre:"/^\x00\x00\x00\x00[^\x00]{260}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:17661; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:24147; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows .NET Chart Control directory traversal attempt"; flow:to_server,established; content:"charImg.axd?"; http_uri; content:"i=/",distance 0; http_raw_uri; content:".."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1977; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-066; classtype:attempted-recon; sid:19694; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; http_client_body; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:18764; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Majordomo2 http directory traversal attempt"; flow:to_server,established; http_uri; content:"mj_wwwusr",fast_pattern,nocase; content:"extra=",distance 0,nocase; http_raw_uri; content:"../../.."; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18761; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe ColdFusion locale directory traversal attempt"; flow:to_server,established; http_uri; content:"CFIDE",fast_pattern; pkt_data; content:"locale=",nocase; content:"../../../",distance 0; content:"%00",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42342; reference:cve,2010-2861; classtype:attempted-admin; sid:18464; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiablogon.exe"; content:"CRYPT",nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[^\r\n&]{513}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:17605; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 17000 ( msg:"SERVER-WEBAPP Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt"; flow:to_server,established; content:"GET ",depth 4,nocase; content:"evtdump?",distance 0,nocase; pcre:"/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33177; reference:cve,2008-5440; classtype:attempted-admin; sid:15264; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiChkMasterPwd.exe"; content:"CRYPT",nocase; isdataat:512,relative; pcre:"/TMlogonEncrypted=(\!|\%21)CRYPT(\!|\%21)[A-Z0-9]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:13591; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/APISiteScopeImpl"; http_client_body; content:"impl:getSiteScopeConfiguration"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55269; reference:cve,2012-3259; reference:url,osvdb.org/show/osvdb/85120; classtype:web-application-activity; sid:24291; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/APISiteScopeImpl"; http_client_body; content:"impl:getFileInternal"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55269; reference:cve,2012-3259; reference:url,osvdb.org/show/osvdb/85120; classtype:web-application-activity; sid:24292; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=DownloadFilesHandler"; content:"DownloadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24447; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; content:"UploadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24448; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked.php"; content:"id=",nocase; pcre:"/[\x3f\x26]id=\d*[\x28\x29\x22\x27]/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54424; reference:cve,2012-2574; reference:url,osvdb.org/show/osvdb/84118; classtype:attempted-user; sid:23934; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/nnmRptConfig|2E|exe"; http_client_body; content:"Action|3D|Create",nocase; pkt_data; content:"Template|3D|"; isdataat:1000,relative; http_client_body; pcre:"/Template\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3848; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20240; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin server_sync.php backdoor access attempt"; flow:to_server,established; http_uri; content:"/phpMyAdmin/server_sync.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:web-application-attack; sid:24256; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP libtidy null pointer dereference attempt"; flow:to_server,established; content:"<?"; content:"Tidy",distance 0; content:"diagnose"; pcre:"/(?P<var>\x24\w+)\s*=\s*(new Tidy|Tidy->new)\x28\s*[\x22\x27]\x2a[\x22\x27]\s*\x29.{1,256}(?P=var)->diagnose/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23995; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zend_strndup null pointer dereference attempt"; flow:to_server,established; content:"define|28|",nocase; content:"str_repeat|28|"; pcre:"/<\?(php)?.{1,256}define\s*\x28\s*str_repeat\s*\x28\s*[\x22\x27][^\x22\x27]+[\x22\x27]\s*\x2c\s*\x24argv/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23994; rev:4; )
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP Invalid global flag attachment attempt"; flow:to_client,established; file_data; content:"<?php"; content:"ZipArchive"; content:"addGlob",distance 0; pcre:"/\x24(?P<var1>\w*)\s*\x3d\s*new\s*ZipArchive\x28\x29.*?\x24(?P=var1)\x2d\x3eaddGlob\x28[\x22\x27]?(?!GLOB_BRACE|GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_ERR|GLOB_ONLYDIR)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,49252; reference:cve,2011-1471; classtype:denial-of-service; sid:23937; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/admin/addcontent.inc.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23828; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/images/psg.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23827; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway pbcontrol.php filename parameter command injection attempt"; flow:to_server,established; http_uri; content:"/spywall/pbcontrol.php"; content:"filename=",nocase; pcre:"/[?&]filename=[^&]*?[\x22\x27][^&]*?\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54426; reference:cve,2012-2953; reference:url,osvdb.org/show/osvdb/84120; classtype:attempted-admin; sid:23783; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress Invit0r plugin php upload attempt"; flow:to_server,established; http_uri; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; content:"name="; http_client_body; content:"<?php ",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53995; reference:url,osvdb.org/show/osvdb/82985; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23485; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; http_uri; content:".php?"; content:"-s",nocase; http_raw_uri; content:!"="; http_uri; pcre:"/\x2ephp\x3f\s*-s/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; http_uri; content:"auto_prepend_file"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22063; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JCE Joomla module vulnerable directory traversal or malicious file upload attempt"; flow:to_server,established; http_uri; content:"option=com_jce"; http_client_body; content:"json",nocase; pcre:"/json\s*=\s*\x7b.*?\x22fn\x22\s*\x3a\s*\x22(getItems|folderRename|file(Delete|Copy))\x22\s*\x2c\s*\x22args\x22\s*\x3a\x5b?[^\x7d]*?\x22[^\x22]*?(\.\.|0day)[^\x22]*?\x22.*?\x7d/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:21926; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpThumb fltr[] parameter remote command execution attempt"; flow:to_server,established; http_uri; content:"/phpThumb.php?",nocase; content:"fltr[]=",nocase; content:"|3B|",within 200,nocase; pcre:"/\x2FphpThumb\.php\x3F[^\r\n]*fltr\[\]=[^\r\n\x26]+\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39605; reference:cve,2010-1598; reference:url,blog.spiderlabs.com/2011/12/honeypot-alert-phpthumb-fltr-parameter-command-injection-detected.html; classtype:attempted-user; sid:20827; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt"; flow:to_server,established; http_uri; content:"/timthumb.php?",nocase; content:"src=http",distance 0,nocase; pcre:"/\x2ftimthumb\x2ephp\x3f[^\r\n]*?src=https?\x3a\x2f([^\x2e\x2f]+?\x2e){3}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:19653; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin session_to_unset session variable injection attempt"; flow:to_server,established; http_uri; content:"session_to_unset="; content:"_SESSION[",nocase; pcre:"/session_to_unset=($|[\x26\x3B])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2505; reference:cve,2011-2506; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-5.php; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-6.php; classtype:attempted-user; sid:19553; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TikiWiki jhot.php script file upload attempt"; flow:to_server,established; http_uri; content:"/jhot.php",nocase; pkt_data; content:"Content-Disposition|3A|",nocase; content:"filename=",nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19819; reference:cve,2006-4602; reference:url,tikiwiki.org/tiki-read_article.php?articleid=136; classtype:attempted-user; sid:17597; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla invalid token administrative password reset attempt"; flow:to_server,established; http_uri; content:"task=confirmreset",nocase; content:"option=com_user"; pkt_data; content:"token=%27&",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30667; reference:cve,2008-3681; reference:url,developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html; classtype:attempted-admin; sid:14610; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; http_uri; content:"/rtrlet/rtr"; content:"username=ivanhoe",nocase; content:"password=scott",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4933; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24436; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; http_uri; content:"/rtrlet/rtr"; http_client_body; content:"username=ivanhoe",nocase; content:"password=scott",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4933; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24435; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP IBM System Storage DS storage manager profiler XSS attempt"; flow:to_server,established; http_uri; content:"/SoftwareRegistration.do"; pcre:"/SoftwareRegistration\.do.*?updateRegn=[^\x26\r\n]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54112; reference:cve,2012-2172; reference:url,www.exploit-db.com/exploits/19321/; classtype:web-application-attack; sid:23466; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Device Center XSS attempt"; flow:to_server,established; http_uri; content:"/cwhp/device.center.do"; pcre:"/device\.center\.do\?[^$\n]*(DeviceID|objectID|dsOsName|device)=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0962; classtype:web-application-attack; sid:21389; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Help servlet XSS attempt"; flow:to_server,established; http_uri; content:"com.cisco.nm.help.ServerHelpEngine"; pcre:"/com\.cisco\.nm\.help\.ServerHelpEngine\?[^$\n]*tag=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/Oi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0961; classtype:web-application-attack; sid:21385; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt"; flow:to_server,established; http_uri; content:"/ccmcip/xmldirectorylist"; pcre:"/xmldirectorylist(\.utf-8|\.other)?\.jsp[^\n]*?[\x3F\x26][lfn]=[^\x26]*?[\x22\x27][^\x26]*?\x20(or|union|like|select)\x20/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1610; classtype:web-application-attack; sid:21377; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/APISiteScopeImpl"; http_client_body; content:"impl:getSiteScopeConfiguration"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,55269; reference:cve,2012-3259; reference:url,osvdb.org/show/osvdb/85120; classtype:web-application-activity; sid:24291; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/APISiteScopeImpl"; http_client_body; content:"impl:getFileInternal"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,55269; reference:cve,2012-3259; reference:url,osvdb.org/show/osvdb/85120; classtype:web-application-activity; sid:24292; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=DownloadFilesHandler"; content:"DownloadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24447; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; content:"UploadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24448; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked.php"; content:"id=",nocase; pcre:"/[\x3f\x26]id=\d*[\x28\x29\x22\x27]/is"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,54424; reference:cve,2012-2574; reference:url,osvdb.org/show/osvdb/84118; classtype:attempted-user; sid:23934; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/nnmRptConfig|2E|exe"; http_client_body; content:"Action|3D|Create",nocase; pkt_data; content:"Template|3D|"; isdataat:1000,relative; http_client_body; pcre:"/Template\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3848; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20240; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin server_sync.php backdoor access attempt"; flow:to_server,established; http_uri; content:"/phpMyAdmin/server_sync.php"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:web-application-attack; sid:24256; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP libtidy null pointer dereference attempt"; flow:to_server,established; content:"<?"; content:"Tidy",distance 0; content:"diagnose"; pcre:"/(?P<var>\x24\w+)\s*=\s*(new Tidy|Tidy->new)\x28\s*[\x22\x27]\x2a[\x22\x27]\s*\x29.{1,256}(?P=var)->diagnose/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-4153; classtype:attempted-dos; sid:23995; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zend_strndup null pointer dereference attempt"; flow:to_server,established; content:"define|28|",nocase; content:"str_repeat|28|"; pcre:"/<\?(php)?.{1,256}define\s*\x28\s*str_repeat\s*\x28\s*[\x22\x27][^\x22\x27]+[\x22\x27]\s*\x2c\s*\x24argv/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-4153; classtype:attempted-dos; sid:23994; rev:4; )
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP Invalid global flag attachment attempt"; flow:to_client,established; file_data; content:"<?php"; content:"ZipArchive"; content:"addGlob",distance 0; pcre:"/\x24(?P<var1>\w*)\s*\x3d\s*new\s*ZipArchive\x28\x29.*?\x24(?P=var1)\x2d\x3eaddGlob\x28[\x22\x27]?(?!GLOB_BRACE|GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_ERR|GLOB_ONLYDIR)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,49252; reference:cve,2011-1471; classtype:denial-of-service; sid:23937; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/admin/addcontent.inc.php"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23828; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/images/psg.php"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23827; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway pbcontrol.php filename parameter command injection attempt"; flow:to_server,established; http_uri; content:"/spywall/pbcontrol.php"; content:"filename=",nocase; pcre:"/[?&]filename=[^&]*?[\x22\x27][^&]*?\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,54426; reference:cve,2012-2953; reference:url,osvdb.org/show/osvdb/84120; classtype:attempted-admin; sid:23783; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress Invit0r plugin php upload attempt"; flow:to_server,established; http_uri; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; content:"name="; http_client_body; content:"<?php ",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53995; reference:url,osvdb.org/show/osvdb/82985; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23485; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; http_uri; content:".php?"; content:"-s",nocase; http_raw_uri; content:!"="; http_uri; pcre:"/\x2ephp\x3f\s*-s/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; http_uri; content:"auto_prepend_file"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22063; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JCE Joomla module vulnerable directory traversal or malicious file upload attempt"; flow:to_server,established; http_uri; content:"option=com_jce"; http_client_body; content:"json",nocase; pcre:"/json\s*=\s*\x7b.*?\x22fn\x22\s*\x3a\s*\x22(getItems|folderRename|file(Delete|Copy))\x22\s*\x2c\s*\x22args\x22\s*\x3a\x5b?[^\x7d]*?\x22[^\x22]*?(\.\.|0day)[^\x22]*?\x22.*?\x7d/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:21926; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpThumb fltr[] parameter remote command execution attempt"; flow:to_server,established; http_uri; content:"/phpThumb.php?",nocase; content:"fltr[]=",nocase; content:"|3B|",within 200,nocase; pcre:"/\x2FphpThumb\.php\x3F[^\r\n]*fltr\[\]=[^\r\n\x26]+\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39605; reference:cve,2010-1598; reference:url,blog.spiderlabs.com/2011/12/honeypot-alert-phpthumb-fltr-parameter-command-injection-detected.html; classtype:attempted-user; sid:20827; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt"; flow:to_server,established; http_uri; content:"/timthumb.php?",nocase; content:"src=http",distance 0,nocase; pcre:"/\x2ftimthumb\x2ephp\x3f[^\r\n]*?src=https?\x3a\x2f([^\x2e\x2f]+?\x2e){3}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:19653; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin session_to_unset session variable injection attempt"; flow:to_server,established; http_uri; content:"session_to_unset="; content:"_SESSION[",nocase; pcre:"/session_to_unset=($|[\x26\x3B])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-2505; reference:cve,2011-2506; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-5.php; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-6.php; classtype:attempted-user; sid:19553; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TikiWiki jhot.php script file upload attempt"; flow:to_server,established; http_uri; content:"/jhot.php",nocase; pkt_data; content:"Content-Disposition|3A|",nocase; content:"filename=",nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19819; reference:cve,2006-4602; reference:url,tikiwiki.org/tiki-read_article.php?articleid=136; classtype:attempted-user; sid:17597; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla invalid token administrative password reset attempt"; flow:to_server,established; http_uri; content:"task=confirmreset",nocase; content:"option=com_user"; pkt_data; content:"token=%27&",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30667; reference:cve,2008-3681; reference:url,developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html; classtype:attempted-admin; sid:14610; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; http_uri; content:"/rtrlet/rtr"; content:"username=ivanhoe",nocase; content:"password=scott",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4933; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24436; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; http_uri; content:"/rtrlet/rtr"; http_client_body; content:"username=ivanhoe",nocase; content:"password=scott",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4933; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24435; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP IBM System Storage DS storage manager profiler XSS attempt"; flow:to_server,established; http_uri; content:"/SoftwareRegistration.do"; pcre:"/SoftwareRegistration\.do.*?updateRegn=[^\x26\r\n]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,54112; reference:cve,2012-2172; reference:url,www.exploit-db.com/exploits/19321/; classtype:web-application-attack; sid:23466; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Device Center XSS attempt"; flow:to_server,established; http_uri; content:"/cwhp/device.center.do"; pcre:"/device\.center\.do\?[^$\n]*(DeviceID|objectID|dsOsName|device)=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0962; classtype:web-application-attack; sid:21389; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Help servlet XSS attempt"; flow:to_server,established; http_uri; content:"com.cisco.nm.help.ServerHelpEngine"; pcre:"/com\.cisco\.nm\.help\.ServerHelpEngine\?[^$\n]*tag=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/Oi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-0961; classtype:web-application-attack; sid:21385; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt"; flow:to_server,established; http_uri; content:"/ccmcip/xmldirectorylist"; pcre:"/xmldirectorylist(\.utf-8|\.other)?\.jsp[^\n]*?[\x3F\x26][lfn]=[^\x26]*?[\x22\x27][^\x26]*?\x20(or|union|like|select)\x20/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-1610; classtype:web-application-attack; sid:21377; rev:5; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 ( msg:"SERVER-WEBAPP HP OpenView Storage Data Protector get file buffer overflow attempt"; flow:to_server,established; content:"|32 00 00 00|",depth 4,offset 6; content:"1|00|7|00 00 00|",distance 0; isdataat:514,relative; content:!"|00|",within 514; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2011-1729; classtype:attempted-user; sid:20532; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 ( msg:"SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt"; flow:to_server,established; content:"|2E 00 5C 00 2E 00 2E 00 5C 00|"; content:"|32 00 00 00|",depth 4,offset 6; content:"1|00|7|00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2011-1736; classtype:attempted-recon; sid:20531; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 ( msg:"SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt"; flow:to_server,established; content:"|2E 00 2F 00 2E 00 2E 00 2F 00|"; content:"|32 00 00 00|",depth 4,offset 6; content:"1|00|7|00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2011-1736; classtype:attempted-recon; sid:20530; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmp.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/Main/Snmp|2E|exe"; http_client_body; content:"Oid|3D|",nocase; isdataat:1000,relative; pcre:"/Oid\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3849; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20241; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI passwd parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"passwd|3D|",nocase; isdataat:29,relative; pcre:"/passwd\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20180; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI userid parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"userid|3D|",nocase; isdataat:29,relative; pcre:"/userid\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20179; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"Host|3A|",nocase; isdataat:121,relative; http_header; pcre:"/Host\x3A\s*[^\x0D\x0A]{121}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4180; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20177; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager remote code execution attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"Login=",nocase; isdataat:51; pkt_data; pcre:"/^[^\x26\x3b]{51}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36933; reference:cve,2009-2685; reference:cve,2010-4113; classtype:attempted-admin; sid:19826; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Openview Network Node Manager OvAcceptLang overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/OvAcceptLang\s*\x3d\s*[^\x3b\n]{300}/ism"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34134; reference:cve,2009-0921; classtype:attempted-user; sid:16555; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt"; flow:to_server,established; http_uri; content:"/RPC2",fast_pattern,nocase; http_client_body; content:"<?xml"; pkt_data; content:"params",distance 0; pcre:"/\x3C\s*param\s*\x3E\s*\x3C\s*value\s*\x3E\s*\x3C\s*string\s*\x3E[^\x3C]*[\x2C\x3B]/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44031; reference:cve,2010-3582; reference:cve,2010-3585; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html; classtype:attempted-admin; sid:19441; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmp.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/Main/Snmp|2E|exe"; http_client_body; content:"Oid|3D|",nocase; isdataat:1000,relative; pcre:"/Oid\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3849; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20241; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI passwd parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"passwd|3D|",nocase; isdataat:29,relative; pcre:"/passwd\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20180; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI userid parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"userid|3D|",nocase; isdataat:29,relative; pcre:"/userid\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20179; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"Host|3A|",nocase; isdataat:121,relative; http_header; pcre:"/Host\x3A\s*[^\x0D\x0A]{121}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-4180; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20177; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager remote code execution attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"Login=",nocase; isdataat:51; pkt_data; pcre:"/^[^\x26\x3b]{51}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36933; reference:cve,2009-2685; reference:cve,2010-4113; classtype:attempted-admin; sid:19826; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Openview Network Node Manager OvAcceptLang overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/OvAcceptLang\s*\x3d\s*[^\x3b\n]{300}/ism"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34134; reference:cve,2009-0921; classtype:attempted-user; sid:16555; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt"; flow:to_server,established; http_uri; content:"/RPC2",fast_pattern,nocase; http_client_body; content:"<?xml"; pkt_data; content:"params",distance 0; pcre:"/\x3C\s*param\s*\x3E\s*\x3C\s*value\s*\x3E\s*\x3C\s*string\s*\x3E[^\x3C]*[\x2C\x3B]/smiR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44031; reference:cve,2010-3582; reference:cve,2010-3585; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html; classtype:attempted-admin; sid:19441; rev:4; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 ( msg:"SERVER-WEBAPP Symantec Alert Management System modem string buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|",depth 4; content:"PAGE",depth 4,offset 30; content:"ModemString|00|",distance 0; byte_test:2,>,32,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:19209; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4150 ( msg:"SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt"; flow:to_server,established; content:"<soapenv:",nocase; content:"<ns1:",distance 0,nocase; isdataat:256,relative; content:!">",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45868; reference:cve,2010-4416; classtype:attempted-admin; sid:19168; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt"; flow:to_server,established; http_uri; content:"/4daction/wHandleURLs/handleSignIn"; http_client_body; content:"SignInName=",nocase; isdataat:256,relative; content:!"&",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44381; classtype:attempted-admin; sid:19155; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"-textFile+"; content:"/OvCgi/"; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe.*?-textFile+[^+]{201}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:16674; rev:9; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"app|3D|",nocase; isdataat:300,relative; content:"act|3D|",nocase; isdataat:300,relative; pcre:"/act\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; pcre:"/app\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1552; classtype:attempted-user; sid:19140; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"MaxAge|3D|",nocase; isdataat:300,relative; pcre:"/MaxAge\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1553; classtype:attempted-user; sid:19139; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"Hostname|3D|",nocase; isdataat:300,relative; pcre:"/Hostname\x3D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1555; classtype:attempted-user; sid:19138; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"ICount|3D|",nocase; isdataat:300,relative; pcre:"/ICount\x3D\x2D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1554; classtype:attempted-user; sid:19137; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 ( msg:"SERVER-WEBAPP IBM Rational Quality Manager and Test Lab Manager policy bypass attempt"; flow:to_server,established; http_uri; content:"/manager",nocase; http_header; content:"Authorization|3A 20|Basic|20|QURNSU46QURNSU4="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44172; reference:cve,2010-4094; classtype:default-login-attempt; sid:19110; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Jboss default configuration unauthorized application add attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor?",nocase; content:"action=inspectMBean",nocase; content:"name=jboss.deployment|3A|type=DeploymentScanner,flavor=URL",nocase; pkt_data; content:"addURL|28|",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:18932; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18925; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Title.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18924; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/snmpviewer.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18923; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/printsession.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18922; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvWebHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18921; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18920; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsipexport.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18919; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsessioninfo.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18918; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlogin.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18917; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunchreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18916; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunch.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18915; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18914; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18913; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView5.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18912; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptPresenter.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18911; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptConfig.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18910; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovwreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18909; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovw.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18908; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getnnmdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18907; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getcvdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18906; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Main/Snmp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18905; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/webappmon.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:17140; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; pkt_data; pcre:"/fileName\x3d[^\x26]*(\x2e\x2e\x5c|\x2e\x2e\x2f)/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37866; reference:cve,2009-4000; classtype:web-application-attack; sid:18802; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Secure Backup Administration property_box.php other variable command execution attempt"; flow:to_server,established; http_uri; content:"/property_box.php",fast_pattern,nocase; content:"type=ListAttachment",nocase; content:"other=",nocase; http_raw_uri; pcre:"/other=[^\x26]*(%26|%7c)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,41616; reference:cve,2010-0899; classtype:attempted-admin; sid:18797; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/webappmon.exe",fast_pattern,nocase; http_client_body; content:"sel="; pkt_data; pcre:"/^[^\x26]*?\x25/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt"; flow:to_server,established; http_method; content:"HEAD",nocase; http_uri; content:"/jmx-console/HtmlAdaptor",nocase; content:"import",nocase; pcre:"/\x26arg\d+\s*=\s*[^\r\n\x26]*import/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:18794; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; content:"/zenworks-fileupload/?",nocase; pcre:"/(filename|type)=[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; http_uri; content:"/zenworks/UploadServlet",fast_pattern,nocase; pkt_data; content:"filename=",nocase; pcre:"/^[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18792; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"displayWidth",distance 0,nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18760; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"displayWidth",nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18759; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; http_client_body; content:"fileName"; pcre:"/fileName\x3d[^\r\n&]{235}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37866; reference:cve,2009-3999; classtype:attempted-user; sid:18745; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OpenView5 CGI buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/OpenView5.exe"; pkt_data; pcre:"/(Context|Action)\x3D[^\x26\x3b]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33147; reference:cve,2008-0067; classtype:attempted-user; sid:18579; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/services",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18560; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/reports",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18559; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4150 ( msg:"SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt"; flow:to_server,established; content:"<soapenv:",nocase; content:"<ns1:",distance 0,nocase; isdataat:256,relative; content:!">",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45868; reference:cve,2010-4416; classtype:attempted-admin; sid:19168; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt"; flow:to_server,established; http_uri; content:"/4daction/wHandleURLs/handleSignIn"; http_client_body; content:"SignInName=",nocase; isdataat:256,relative; content:!"&",within 256; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44381; classtype:attempted-admin; sid:19155; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"-textFile+"; content:"/OvCgi/"; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe.*?-textFile+[^+]{201}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:16674; rev:9; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"app|3D|",nocase; isdataat:300,relative; content:"act|3D|",nocase; isdataat:300,relative; pcre:"/act\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; pcre:"/app\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1552; classtype:attempted-user; sid:19140; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"MaxAge|3D|",nocase; isdataat:300,relative; pcre:"/MaxAge\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1553; classtype:attempted-user; sid:19139; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"Hostname|3D|",nocase; isdataat:300,relative; pcre:"/Hostname\x3D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1555; classtype:attempted-user; sid:19138; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"ICount|3D|",nocase; isdataat:300,relative; pcre:"/ICount\x3D\x2D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1554; classtype:attempted-user; sid:19137; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 ( msg:"SERVER-WEBAPP IBM Rational Quality Manager and Test Lab Manager policy bypass attempt"; flow:to_server,established; http_uri; content:"/manager",nocase; http_header; content:"Authorization|3A 20|Basic|20|QURNSU46QURNSU4="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44172; reference:cve,2010-4094; classtype:default-login-attempt; sid:19110; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Jboss default configuration unauthorized application add attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor?",nocase; content:"action=inspectMBean",nocase; content:"name=jboss.deployment|3A|type=DeploymentScanner,flavor=URL",nocase; pkt_data; content:"addURL|28|",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:18932; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18925; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Title.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18924; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/snmpviewer.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18923; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/printsession.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18922; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvWebHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18921; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18920; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsipexport.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18919; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsessioninfo.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18918; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlogin.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18917; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunchreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18916; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunch.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18915; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18914; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18913; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView5.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18912; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptPresenter.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18911; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptConfig.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18910; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovwreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18909; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovw.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18908; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getnnmdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18907; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getcvdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18906; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Main/Snmp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18905; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/webappmon.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:17140; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; pkt_data; pcre:"/fileName\x3d[^\x26]*(\x2e\x2e\x5c|\x2e\x2e\x2f)/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37866; reference:cve,2009-4000; classtype:web-application-attack; sid:18802; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Secure Backup Administration property_box.php other variable command execution attempt"; flow:to_server,established; http_uri; content:"/property_box.php",fast_pattern,nocase; content:"type=ListAttachment",nocase; content:"other=",nocase; http_raw_uri; pcre:"/other=[^\x26]*(%26|%7c)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,41616; reference:cve,2010-0899; classtype:attempted-admin; sid:18797; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/webappmon.exe",fast_pattern,nocase; http_client_body; content:"sel="; pkt_data; pcre:"/^[^\x26]*?\x25/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt"; flow:to_server,established; http_method; content:"HEAD",nocase; http_uri; content:"/jmx-console/HtmlAdaptor",nocase; content:"import",nocase; pcre:"/\x26arg\d+\s*=\s*[^\r\n\x26]*import/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:18794; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; content:"/zenworks-fileupload/?",nocase; pcre:"/(filename|type)=[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; http_uri; content:"/zenworks/UploadServlet",fast_pattern,nocase; pkt_data; content:"filename=",nocase; pcre:"/^[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18792; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"displayWidth",distance 0,nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18760; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"displayWidth",nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18759; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; http_client_body; content:"fileName"; pcre:"/fileName\x3d[^\r\n&]{235}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37866; reference:cve,2009-3999; classtype:attempted-user; sid:18745; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OpenView5 CGI buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/OpenView5.exe"; pkt_data; pcre:"/(Context|Action)\x3D[^\x26\x3b]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33147; reference:cve,2008-0067; classtype:attempted-user; sid:18579; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/services",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18560; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/reports",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18559; rev:2; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 ( msg:"SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|",depth 4; content:"PAGE",depth 4,offset 30,nocase; content:"PinNumber|00|",distance 0; byte_test:2,>,256,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:18460; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager getMultiPartParameters unauthorized file upload attempt"; flow:to_server,established; http_uri; content:"/nps/servlet/modulemanager",nocase; pkt_data; content:"Content-Disposition",nocase; pcre:"/^[^\n]*filename[^\x3B]*([\x5C\x2F]\x2E\x2E|\x2E\x2E[\x5C\x2F])/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43635; classtype:attempted-admin; sid:18311; rev:3; )
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP IBM Lotus Expeditor cai URI handler command execution attempt"; flow:to_client,established; file_data; content:"cai|3A|",nocase; content:"-launcher",distance 0,nocase; pcre:"/cai\x3a[^\x3e]*?(\x22|\x2522)[^\x3e\x22]*?-launcher/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1965; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21303813; classtype:attempted-user; sid:17376; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan Console authentication buffer overflow attempt"; flow:to_server,established; http_uri; content:"/officescan/console",fast_pattern; http_cookie; content:"session="; pcre:"/session=[^\s\x3b&]{520}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24641; reference:bugtraq,24935; reference:cve,2007-3454; reference:cve,2007-3455; classtype:attempted-admin; sid:17295; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt"; flow:to_server,established; http_uri; content:"/CSuserCGI.exe?",nocase; content:"Logout",distance 0,nocase; pcre:"/\x2FCSuserCGI\x2Eexe\x3F.*?Logout.[^&]{96}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28222; reference:cve,2008-0532; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml; classtype:attempted-admin; sid:13656; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 3"; flow:to_server,established; http_uri; content:"/imc/reportscript/oracle/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17159; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 2"; flow:to_server,established; http_uri; content:"/rpt/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17158; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 1"; flow:to_server,established; http_uri; content:"/imc/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17157; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/report/DownloadReportSource",nocase; content:"fileName"; http_raw_uri; pcre:"/fileName=.*?\x2E\x2E(\x2F|\x5C)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:misc-attack; sid:17137; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16713; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16712; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe",nocase; pkt_data; content:"OVABverbose=",nocase; pcre:"/^(?!false|off|no|0)/iR"; pcre:"/(OvAcceptLang|Accept-Language)\s*[\x3D\x3A]\s*[^\n]{69}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37261; reference:cve,2009-4179; classtype:attempted-user; sid:16604; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - GET request"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16429; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - POST request"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; http_client_body; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16430; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0u7 authorization digest heap overflow"; flow:to_server,established; http_method; content:!"GET",nocase; content:!"POST",nocase; pkt_data; content:"Authorization",nocase; content:"Digest",distance 0,fast_pattern,nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37896; reference:cve,2010-0387; classtype:attempted-user; sid:16392; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s/mi"; content:"-",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16195; rev:6; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16194; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe",nocase; http_cookie; content:"OvOSLocale",nocase; pcre:"/OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34134; reference:cve,2008-0067; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:10; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 808 ( msg:"SERVER-WEBAPP Youngzsoft CCProxy CONNECT Request buffer overflow attempt"; flow:to_server,established; content:"CONNECT ",nocase; isdataat:1024,relative; pcre:"/^CONNECT\s[^\s]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31416; reference:cve,2008-6415; classtype:attempted-user; sid:15190; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8889 ( msg:"SERVER-WEBAPP Openwsman HTTP basic authentication buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|",nocase; content:"Basic",nocase; isdataat:256,relative; pcre:"/^Authorization\x3a\s*Basic[^\n]{256}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30694; reference:cve,2008-2234; classtype:attempted-user; sid:14992; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager getMultiPartParameters unauthorized file upload attempt"; flow:to_server,established; http_uri; content:"/nps/servlet/modulemanager",nocase; pkt_data; content:"Content-Disposition",nocase; pcre:"/^[^\n]*filename[^\x3B]*([\x5C\x2F]\x2E\x2E|\x2E\x2E[\x5C\x2F])/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43635; classtype:attempted-admin; sid:18311; rev:3; )
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP IBM Lotus Expeditor cai URI handler command execution attempt"; flow:to_client,established; file_data; content:"cai|3A|",nocase; content:"-launcher",distance 0,nocase; pcre:"/cai\x3a[^\x3e]*?(\x22|\x2522)[^\x3e\x22]*?-launcher/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1965; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21303813; classtype:attempted-user; sid:17376; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan Console authentication buffer overflow attempt"; flow:to_server,established; http_uri; content:"/officescan/console",fast_pattern; http_cookie; content:"session="; pcre:"/session=[^\s\x3b&]{520}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,24641; reference:bugtraq,24935; reference:cve,2007-3454; reference:cve,2007-3455; classtype:attempted-admin; sid:17295; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt"; flow:to_server,established; http_uri; content:"/CSuserCGI.exe?",nocase; content:"Logout",distance 0,nocase; pcre:"/\x2FCSuserCGI\x2Eexe\x3F.*?Logout.[^&]{96}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28222; reference:cve,2008-0532; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml; classtype:attempted-admin; sid:13656; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 3"; flow:to_server,established; http_uri; content:"/imc/reportscript/oracle/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17159; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 2"; flow:to_server,established; http_uri; content:"/rpt/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17158; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 1"; flow:to_server,established; http_uri; content:"/imc/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17157; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/report/DownloadReportSource",nocase; content:"fileName"; http_raw_uri; pcre:"/fileName=.*?\x2E\x2E(\x2F|\x5C)/s"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:misc-attack; sid:17137; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16713; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16712; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe",nocase; pkt_data; content:"OVABverbose=",nocase; pcre:"/^(?!false|off|no|0)/iR"; pcre:"/(OvAcceptLang|Accept-Language)\s*[\x3D\x3A]\s*[^\n]{69}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37261; reference:cve,2009-4179; classtype:attempted-user; sid:16604; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - GET request"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16429; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - POST request"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; http_client_body; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16430; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0u7 authorization digest heap overflow"; flow:to_server,established; http_method; content:!"GET",nocase; content:!"POST",nocase; pkt_data; content:"Authorization",nocase; content:"Digest",distance 0,fast_pattern,nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37896; reference:cve,2010-0387; classtype:attempted-user; sid:16392; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s/mi"; content:"-",within 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4478; classtype:attempted-user; sid:16195; rev:6; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4478; classtype:attempted-user; sid:16194; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe",nocase; http_cookie; content:"OvOSLocale",nocase; pcre:"/OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34134; reference:cve,2008-0067; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:10; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 808 ( msg:"SERVER-WEBAPP Youngzsoft CCProxy CONNECT Request buffer overflow attempt"; flow:to_server,established; content:"CONNECT ",nocase; isdataat:1024,relative; pcre:"/^CONNECT\s[^\s]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31416; reference:cve,2008-6415; classtype:attempted-user; sid:15190; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8889 ( msg:"SERVER-WEBAPP Openwsman HTTP basic authentication buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|",nocase; content:"Basic",nocase; isdataat:256,relative; pcre:"/^Authorization\x3a\s*Basic[^\n]{256}/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30694; reference:cve,2008-2234; classtype:attempted-user; sid:14992; rev:3; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET [1521,5560] ( msg:"SERVER-WEBAPP Oracle Database Server buffer overflow attempt"; flow:to_server,established; content:"DBMS_AQELM"; pcre:"/SET_(SENDFROM|MAILHOST)\x28\x27[^\x27]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,30177; reference:cve,2008-2607; classtype:misc-attack; sid:13951; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; http_uri; content:"Top_Unanswered_Customer_Questions.asp",nocase; pkt_data; pcre:"/\x26r\d\x3d[^\x26\s]*\x27/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2991; classtype:web-application-attack; sid:13929; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; http_uri; content:"/topology/home"; http_raw_uri; bufferlen:>184; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:7; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; http_uri; content:"/NessusTest"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:8; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked_file.php"; http_client_body; content:"<?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24518; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code execution attempt"; flow:to_server,established; http_uri; content:"/spywall/images/upload/"; content:".php",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24519; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager buffer overflow attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/nps/servlet/webacc",nocase; http_client_body; content:"EnteredAttrName="; pcre:"/EnteredAttrName=[^&]{32}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4188; reference:url,novell.com/support/kb/doc.php?id=7002971; classtype:attempted-admin; sid:23354; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET [10000] ( msg:"SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/file/show.cgi/"; content:"|7C|",distance 0; http_cookie; content:"sid="; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:bugtraq,55446; reference:cve,2012-2982; reference:url,osvdb.org/show/osvdb/85248; reference:url,www.kb.cert.org/vuls/id/788478; classtype:web-application-attack; sid:24628; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cs/ContentServer"; http_client_body; content:"selectedLocale=",nocase; pcre:"/(^|&)selectedLocale=[^&]+?([\x22\x27]|%22|%27)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55984; reference:cve,2012-3186; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; classtype:web-application-attack; sid:24629; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor"; pkt_data; pcre:"/\x26?arg\d+\s*=\s*[^\x26]*?(import|http)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:24642; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"FILECODE=",nocase; isdataat:96,relative; pcre:"/FILECODE=[^&]{96}/i"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:url,websecuritywatch.com/d-link-wireless-n300-cloud-router-captcha-processing-buffer-overflow-vulnerability; classtype:attempted-admin; sid:24647; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/"; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe/i"; http_client_body; content:"-textfile+",nocase; isdataat:201; content:!"+",within 201; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1960; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:24693; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:!"SOAP",nocase; http_client_body; pcre:"/(^|&)SelectedID=[^&]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24704; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:"SOAP",nocase; http_client_body; pcre:"/<SelectedID>[^<]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24705; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/applications/lifecycleEdit.jsf"; pcre:"/[?&]appName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24728; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/realms/realms.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24729; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/networkListeners.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24730; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/auditModules/auditModules.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24731; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/jacc/jaccProviders.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24732; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/msgSecurity/msgSecurity.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24733; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/jms/jmsHosts.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24734; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/protocols.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24735; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/transports.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24736; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/xhp"; pcre:"/[?&]key=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24737; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter SRS request heap overflow attempt"; flow:to_server,established; http_client_body; content:"<NAME>SRS</NAME>"; content:"<CMD>",nocase; isdataat:10000,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56579; reference:cve,2012-4956; classtype:attempted-admin; sid:24765; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter SRS request arbitrary file download attempt"; flow:to_server,established; http_client_body; content:"<NAME>SRS</NAME>",nocase; content:"<OPERATION>4</OPERATION>",nocase; content:"<CMD>103</CMD>"; content:"<PATH>c:|5C|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56579; reference:cve,2012-4957; classtype:attempted-admin; sid:24766; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter FSFUI request directory traversal attempt"; flow:to_server,established; http_client_body; content:"<NAME>FSFUI</NAME>"; pcre:"/<FILE>(\x2e\x2e\x5c|%2E%2E%5C){2}[^<]+?</FILE>/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56579; reference:cve,2012-4958; reference:cve,2012-4959; classtype:attempted-admin; sid:24767; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision IP Board PHP unserialize code execution attempt"; flow:to_server,established; http_uri; content:"<?"; http_cookie; content:"member_id=",nocase; pcre:"/(^|[\x3b\x7b\x7d]|%3b|%7b|%7d)O(%3a|\x3a)(\x2b|%2b)?[0-9]+?(%3a|\x3a)(%22|\x22)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56288; reference:cve,2012-5692; reference:url,community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update; classtype:attempted-admin; sid:24804; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24913; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; http_client_body; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24914; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SCOM Web Console cross-site scripting attempt"; flow:to_server,established; http_uri; content:"/InternalPages/ExecuteTask.aspx"; http_client_body; content:"__CALLBACKPARAM=",nocase; pcre:"/__CALLBACKPARAM=[^\r\n]+?([\x22\x27]|%22|%27)([\x3E\x3C\x28\x29]|%3E|%3C|%28|%29)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-003; classtype:attempted-user; sid:25273; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MoinMoin arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"action="; content:"wikidraw",within 11; content:"target="; pcre:"/target=\.\.[\x2f\x5c]\.\.[\x2f\x5c]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57082; reference:cve,2012-6081; classtype:attempted-admin; sid:25286; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/mt-upgrade.cgi"; http_client_body; content:"mode"; content:"actions&installing="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0209; classtype:attempted-admin; sid:25528; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office Outlook Web Access XSRF attempt"; flow:to_server,established; http_uri; content:"/owa/ev.owa"; content:"ns=Rule"; content:"ev=Save"; http_client_body; content:"&#60params&#62&#60Id&#62&#60/Id&#62&#60Name&#62Test&#60/Name&#62&#60RecpA4&#62&#60item&#62&#60Rcp"; content:"AO=|22|3|22|&#62&#60/Rcp&#62&#60/item&#62&#60/RecpA4&#62&#60Actions&#62&#60item&#62&#60rca"; content:" t=|22|4|22|&#62&#60/rca&#62&#60/item&#62&#60/Actions&#62&#60/params&#62"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,41462; reference:cve,2010-3213; reference:url,technet.microsoft.com/en-us/security/advisory/2401593; classtype:attempted-user; sid:17296; rev:6; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 ( msg:"SERVER-WEBAPP VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"|2F|requests|2F|status.xml",nocase; content:"smb"; pkt_data; pcre:"/^GET\s+.*\x2Frequests\x2Fstatus\.xml\x3F.*smb\x3A\x2F\x2F[^\s\x0A\x0D]{251}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16753; rev:4; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent"; flow:to_server; content:"User-Agent: User-Agent: Mozilla/"; content:"/phpmyadmin/index.php?lang=en&server=1&pma_username=root"; detection_filter:track by_src, count 30, seconds 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25907; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=c:",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26165; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; pcre:"/[?&]name=[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26166; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; http_raw_uri; pcre:"/[?&]name=(\x5c\x5c|%5c%5c)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26167; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint Server elevation of privilege exploit attempt"; flow:to_server,established; http_uri; content:!"/ssp/admin/_layouts"; content:"mode=ssp"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-077; classtype:attempted-admin; sid:15108; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint query.iqy XSS attempt"; flow:to_server,established; http_uri; content:"/owssvr.dll?",nocase; content:"query.iqy",distance 0,fast_pattern,nocase; pcre:"/[?&]Using=_layouts/query.iqy.*?&List=[^&]+(script|src|location|document|onlick|onload)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1863; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:attempted-user; sid:23282; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint scriptresx.ashx XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/scriptresx.ashx"; pcre:"/sections=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1859; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:web-application-attack; sid:23281; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint chart webpart XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/Chart/WebUI/WizardList.aspx"; pcre:"/([sp]key|csk)=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-011; classtype:web-application-attack; sid:21298; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint themeweb.aspx XSS attempt"; flow:to_server,established; http_uri; content:"/_layouts/themeweb.aspx"; pkt_data; pcre:"/ctl\d+\x24PlaceHolderMain\x24ctl\d+\x24customizeThemeSection\x24(accent1|accent2|accent3|accent4|accent5|accent6|dark1|dark2|light1|light2)=[^\r\n\x26]+(script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; classtype:web-application-attack; sid:21297; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/help.aspx?",nocase; content:"cid0=",distance 0,nocase; pcre:"/\x5flayouts\x2fhelp\x2easpx\x3f.*?cid0\x3d[A-Za-z\x5c\x2e0-9]*[^A-Za-z\x5c\x2f\x2e\x26\x3d0-9\s]/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0817; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-039; classtype:attempted-user; sid:16560; rev:12; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 ( msg:"SERVER-WEBAPP Microsoft Office SharePoint document conversion remote code excution attempt"; flow:to_server,established; content:"Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface"; content:"<i2|3A|ConvertFile"; content:"<convert",distance 0; pcre:"/^(To|From)[^\x3e]*?\x3e[a-z0-9]*[^a-z0-9][^\x3c]*?\x3c\x2fconvert(To|From)/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3964; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-104; classtype:attempted-admin; sid:18238; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/OSSSearchResults.aspx"; pcre:"/[?&](k|u|cs)=[^&]+?</i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26124; rev:4; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/filter.aspx"; pcre:"/[?&](CallbackParam|CallbackFn)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|eval|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26131; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress wp-banners-lite plugin cross site scripting attempt"; flow:to_server,established; http_uri; content:"wpbanners_show.php",nocase; content:"cid=",distance 0; pcre:"/wpbanners_show\.php.*?[?&]cid=[^&]*?([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,seclists.org/fulldisclosure/2013/Mar/209; classtype:web-application-attack; sid:26263; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios3 statuswml.cgi remote command execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/cgi-bin/statuswml.cgi"; http_client_body; pcre:"/(?>traceroute|ping)=(?:%3b|\x3b)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2288; reference:url,osvdb.com/55281; classtype:attempted-admin; sid:26274; rev:1; )
-alert tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/|3B|",nocase; content:"$",distance 0; content:"IFS",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:26275; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Redmine SCM rev parameter command injection attempt"; flow:to_server,established; http_uri; content:"/repository/annotate?"; content:"rev=|60|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4929; reference:url,osvdb.org/show/osvdb/70090; reference:url,www.redmine.org/news/49; classtype:attempted-admin; sid:26320; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"../../../../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26416; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"..|5C|..|5C|..|5C|..|5C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26417; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/proxy/DataValidation"; content:"iprange=",nocase; isdataat:68,relative; pcre:"/[?&]iprange=[^&]{68}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-df3d68cc03364ce78f1987b83b; reference:url,osvdb.org/show/osvdb/91812; classtype:attempted-admin; sid:26418; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center FaultDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/fault/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58675; reference:cve,2012-5202; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91027; classtype:attempted-recon; sid:26436; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP nginx URI parsing buffer overflow attempt"; flow:to_server,established; content:"GET |2F 25|23|2E 2E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:5; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp r0 SQL injection attempt"; flow:to_server,established; http_uri; content:"Help_Errors.asp"; pcre:"/\x26r\d\x3d\d*[^\x26\s\d]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2991; classtype:web-application-attack; sid:13928; rev:8; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Secure Backup login.php uname variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"attempt="; content:"uname="; http_raw_uri; content:"%26"; pcre:"/uname=[^&]*%26/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-5449; classtype:attempted-admin; sid:18293; rev:3; )
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt"; flow:to_server,established; http_uri; content:"/entry_point.aspx",nocase; pkt_data; content:"txt_user_name_p|3D|",nocase; isdataat:300,relative; pcre:"/txt_user_name_p\x3D[^\x26\x3F\x3B]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39238; reference:cve,2010-1223; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869; classtype:attempted-user; sid:19136; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| <SCRIPT>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/ict/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58676; reference:cve,2012-5204; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91029; classtype:attempted-recon; sid:26505; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/reportImg?"; content:"path=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58672; reference:cve,2012-5203; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91028; classtype:attempted-recon; sid:26523; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt"; flow:to_server,established; http_uri; content:"/db_structure.php"; http_client_body; content:"prefix=",nocase; pcre:"/from(%5f|_)prefix=[^&]*?(%2f|\/)[^&]*?e[^&]*?(%00|\x00)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3238; reference:url,osvdb.org/show/osvdb/92793; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2013-2.php; classtype:attempted-admin; sid:26547; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"|2F|wp|2D|login|2E|php"; detection_filter:track by_src, count 26, seconds 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:26557; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; http_uri; content:"&#0000000000000000000000000000000000000000000001111|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:26593; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Encoding:"; content:"Accept-Encoding:|0D 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-039; classtype:attempted-dos; sid:26632; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/syslog/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5206; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91031; classtype:attempted-recon; sid:26669; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/download?"; content:"Name=",nocase; content:"../",distance 0; pcre:"/[?&](path|file)Name=[^&]*?\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5211; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91036; classtype:attempted-recon; sid:26794; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"operation=",nocase; content:"paths",nocase; pcre:"/(^|&)paths(%5b|\x5b)(%5d|\x5d)=[^&]*?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-recon; sid:26797; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"uploadFile",nocase; content:"uploadPath",nocase; pcre:"/uploadPath[^-]+?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-admin; sid:26798; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FosWiki and TWiki MAKETEXT macro memory consumption denial of service attempt"; flow:to_server,established; http_cookie; content:"WIKISID="; http_client_body; content:"MAKETEXT"; content:"%5b%5f"; pcre:"/\%5b\%5f[0-9]{16}/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56950; reference:cve,2012-6329; reference:cve,2012-6330; reference:url,foswiki.org/Support/SecurityAlert-CVE-2012-6330; reference:url,osvdb.org/show/osvdb/88410; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329; classtype:attempted-dos; sid:26905; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_uri; content:"/twiki/"; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26907; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/twiki/"; http_client_body; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26908; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; http_uri; content:"Top_Unanswered_Customer_Questions.asp",nocase; pkt_data; pcre:"/\x26r\d\x3d[^\x26\s]*\x27/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-2991; classtype:web-application-attack; sid:13929; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; http_uri; content:"/topology/home"; http_raw_uri; bufferlen:>184; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:7; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; http_uri; content:"/NessusTest"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; service:http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:8; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked_file.php"; http_client_body; content:"<?"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24518; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code execution attempt"; flow:to_server,established; http_uri; content:"/spywall/images/upload/"; content:".php",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24519; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager buffer overflow attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/nps/servlet/webacc",nocase; http_client_body; content:"EnteredAttrName="; pcre:"/EnteredAttrName=[^&]{32}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-4188; reference:url,novell.com/support/kb/doc.php?id=7002971; classtype:attempted-admin; sid:23354; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET [10000] ( msg:"SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/file/show.cgi/"; content:"|7C|",distance 0; http_cookie; content:"sid="; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:bugtraq,55446; reference:cve,2012-2982; reference:url,osvdb.org/show/osvdb/85248; reference:url,www.kb.cert.org/vuls/id/788478; classtype:web-application-attack; sid:24628; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cs/ContentServer"; http_client_body; content:"selectedLocale=",nocase; pcre:"/(^|&)selectedLocale=[^&]+?([\x22\x27]|%22|%27)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,55984; reference:cve,2012-3186; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; classtype:web-application-attack; sid:24629; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor"; pkt_data; pcre:"/\x26?arg\d+\s*=\s*[^\x26]*?(import|http)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:24642; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"FILECODE=",nocase; isdataat:96,relative; pcre:"/FILECODE=[^&]{96}/i"; metadata:policy balanced-ips alert,policy security-ips drop; service:http; reference:url,websecuritywatch.com/d-link-wireless-n300-cloud-router-captcha-processing-buffer-overflow-vulnerability; classtype:attempted-admin; sid:24647; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/"; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe/i"; http_client_body; content:"-textfile+",nocase; isdataat:201; content:!"+",within 201; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1960; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:24693; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:!"SOAP",nocase; http_client_body; pcre:"/(^|&)SelectedID=[^&]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24704; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:"SOAP",nocase; http_client_body; pcre:"/<SelectedID>[^<]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24705; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/applications/lifecycleEdit.jsf"; pcre:"/[?&]appName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24728; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/realms/realms.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24729; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/networkListeners.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24730; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/auditModules/auditModules.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24731; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/jacc/jaccProviders.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24732; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/msgSecurity/msgSecurity.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24733; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/jms/jmsHosts.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24734; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/protocols.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24735; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/transports.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24736; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/xhp"; pcre:"/[?&]key=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24737; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter SRS request heap overflow attempt"; flow:to_server,established; http_client_body; content:"<NAME>SRS</NAME>"; content:"<CMD>",nocase; isdataat:10000,relative; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56579; reference:cve,2012-4956; classtype:attempted-admin; sid:24765; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter SRS request arbitrary file download attempt"; flow:to_server,established; http_client_body; content:"<NAME>SRS</NAME>",nocase; content:"<OPERATION>4</OPERATION>",nocase; content:"<CMD>103</CMD>"; content:"<PATH>c:|5C|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56579; reference:cve,2012-4957; classtype:attempted-admin; sid:24766; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 ( msg:"SERVER-WEBAPP Novell File Reporter FSFUI request directory traversal attempt"; flow:to_server,established; http_client_body; content:"<NAME>FSFUI</NAME>"; pcre:"/<FILE>(\x2e\x2e\x5c|%2E%2E%5C){2}[^<]+?</FILE>/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56579; reference:cve,2012-4958; reference:cve,2012-4959; classtype:attempted-admin; sid:24767; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision IP Board PHP unserialize code execution attempt"; flow:to_server,established; http_uri; content:"<?"; http_cookie; content:"member_id=",nocase; pcre:"/(^|[\x3b\x7b\x7d]|%3b|%7b|%7d)O(%3a|\x3a)(\x2b|%2b)?[0-9]+?(%3a|\x3a)(%22|\x22)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56288; reference:cve,2012-5692; reference:url,community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update; classtype:attempted-admin; sid:24804; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24913; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; http_client_body; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24914; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SCOM Web Console cross-site scripting attempt"; flow:to_server,established; http_uri; content:"/InternalPages/ExecuteTask.aspx"; http_client_body; content:"__CALLBACKPARAM=",nocase; pcre:"/__CALLBACKPARAM=[^\r\n]+?([\x22\x27]|%22|%27)([\x3E\x3C\x28\x29]|%3E|%3C|%28|%29)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-003; classtype:attempted-user; sid:25273; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MoinMoin arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"action="; content:"wikidraw",within 11; content:"target="; pcre:"/target=\.\.[\x2f\x5c]\.\.[\x2f\x5c]/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,57082; reference:cve,2012-6081; classtype:attempted-admin; sid:25286; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/mt-upgrade.cgi"; http_client_body; content:"mode"; content:"actions&installing="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0209; classtype:attempted-admin; sid:25528; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office Outlook Web Access XSRF attempt"; flow:to_server,established; http_uri; content:"/owa/ev.owa"; content:"ns=Rule"; content:"ev=Save"; http_client_body; content:"&#60params&#62&#60Id&#62&#60/Id&#62&#60Name&#62Test&#60/Name&#62&#60RecpA4&#62&#60item&#62&#60Rcp"; content:"AO=|22|3|22|&#62&#60/Rcp&#62&#60/item&#62&#60/RecpA4&#62&#60Actions&#62&#60item&#62&#60rca"; content:" t=|22|4|22|&#62&#60/rca&#62&#60/item&#62&#60/Actions&#62&#60/params&#62"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,41462; reference:cve,2010-3213; reference:url,technet.microsoft.com/en-us/security/advisory/2401593; classtype:attempted-user; sid:17296; rev:6; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 ( msg:"SERVER-WEBAPP VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"|2F|requests|2F|status.xml",nocase; content:"smb"; pkt_data; pcre:"/^GET\s+.*\x2Frequests\x2Fstatus\.xml\x3F.*smb\x3A\x2F\x2F[^\s\x0A\x0D]{251}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16753; rev:4; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent"; flow:to_server; content:"User-Agent: User-Agent: Mozilla/"; content:"/phpmyadmin/index.php?lang=en&server=1&pma_username=root"; detection_filter:track by_src, count 30, seconds 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:25907; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=c:",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26165; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; pcre:"/[?&]name=[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26166; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; http_raw_uri; pcre:"/[?&]name=(\x5c\x5c|%5c%5c)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26167; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint Server elevation of privilege exploit attempt"; flow:to_server,established; http_uri; content:!"/ssp/admin/_layouts"; content:"mode=ssp"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-077; classtype:attempted-admin; sid:15108; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint query.iqy XSS attempt"; flow:to_server,established; http_uri; content:"/owssvr.dll?",nocase; content:"query.iqy",distance 0,fast_pattern,nocase; pcre:"/[?&]Using=_layouts/query.iqy.*?&List=[^&]+(script|src|location|document|onlick|onload)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1863; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:attempted-user; sid:23282; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint scriptresx.ashx XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/scriptresx.ashx"; pcre:"/sections=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-1859; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:web-application-attack; sid:23281; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint chart webpart XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/Chart/WebUI/WizardList.aspx"; pcre:"/([sp]key|csk)=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-011; classtype:web-application-attack; sid:21298; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint themeweb.aspx XSS attempt"; flow:to_server,established; http_uri; content:"/_layouts/themeweb.aspx"; pkt_data; pcre:"/ctl\d+\x24PlaceHolderMain\x24ctl\d+\x24customizeThemeSection\x24(accent1|accent2|accent3|accent4|accent5|accent6|dark1|dark2|light1|light2)=[^\r\n\x26]+(script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; classtype:web-application-attack; sid:21297; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/help.aspx?",nocase; content:"cid0=",distance 0,nocase; pcre:"/\x5flayouts\x2fhelp\x2easpx\x3f.*?cid0\x3d[A-Za-z\x5c\x2e0-9]*[^A-Za-z\x5c\x2f\x2e\x26\x3d0-9\s]/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0817; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-039; classtype:attempted-user; sid:16560; rev:12; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 ( msg:"SERVER-WEBAPP Microsoft Office SharePoint document conversion remote code excution attempt"; flow:to_server,established; content:"Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface"; content:"<i2|3A|ConvertFile"; content:"<convert",distance 0; pcre:"/^(To|From)[^\x3e]*?\x3e[a-z0-9]*[^a-z0-9][^\x3c]*?\x3c\x2fconvert(To|From)/isR"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3964; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-104; classtype:attempted-admin; sid:18238; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/OSSSearchResults.aspx"; pcre:"/[?&](k|u|cs)=[^&]+?</i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26124; rev:4; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/filter.aspx"; pcre:"/[?&](CallbackParam|CallbackFn)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|eval|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26131; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress wp-banners-lite plugin cross site scripting attempt"; flow:to_server,established; http_uri; content:"wpbanners_show.php",nocase; content:"cid=",distance 0; pcre:"/wpbanners_show\.php.*?[?&]cid=[^&]*?([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,seclists.org/fulldisclosure/2013/Mar/209; classtype:web-application-attack; sid:26263; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios3 statuswml.cgi remote command execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/cgi-bin/statuswml.cgi"; http_client_body; pcre:"/(?>traceroute|ping)=(?:%3b|\x3b)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2288; reference:url,osvdb.com/55281; classtype:attempted-admin; sid:26274; rev:1; )
+alert tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/|3B|",nocase; content:"$",distance 0; content:"IFS",within 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:26275; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Redmine SCM rev parameter command injection attempt"; flow:to_server,established; http_uri; content:"/repository/annotate?"; content:"rev=|60|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-4929; reference:url,osvdb.org/show/osvdb/70090; reference:url,www.redmine.org/news/49; classtype:attempted-admin; sid:26320; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"../../../../"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26416; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"..|5C|..|5C|..|5C|..|5C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26417; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/proxy/DataValidation"; content:"iprange=",nocase; isdataat:68,relative; pcre:"/[?&]iprange=[^&]{68}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-df3d68cc03364ce78f1987b83b; reference:url,osvdb.org/show/osvdb/91812; classtype:attempted-admin; sid:26418; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center FaultDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/fault/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58675; reference:cve,2012-5202; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91027; classtype:attempted-recon; sid:26436; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP nginx URI parsing buffer overflow attempt"; flow:to_server,established; content:"GET |2F 25|23|2E 2E|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:5; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp r0 SQL injection attempt"; flow:to_server,established; http_uri; content:"Help_Errors.asp"; pcre:"/\x26r\d\x3d\d*[^\x26\s\d]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-2991; classtype:web-application-attack; sid:13928; rev:8; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Secure Backup login.php uname variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"attempt="; content:"uname="; http_raw_uri; content:"%26"; pcre:"/uname=[^&]*%26/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-5449; classtype:attempted-admin; sid:18293; rev:3; )
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt"; flow:to_server,established; http_uri; content:"/entry_point.aspx",nocase; pkt_data; content:"txt_user_name_p|3D|",nocase; isdataat:300,relative; pcre:"/txt_user_name_p\x3D[^\x26\x3F\x3B]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,39238; reference:cve,2010-1223; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869; classtype:attempted-user; sid:19136; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| <SCRIPT>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/ict/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58676; reference:cve,2012-5204; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91029; classtype:attempted-recon; sid:26505; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/reportImg?"; content:"path=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58672; reference:cve,2012-5203; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91028; classtype:attempted-recon; sid:26523; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt"; flow:to_server,established; http_uri; content:"/db_structure.php"; http_client_body; content:"prefix=",nocase; pcre:"/from(%5f|_)prefix=[^&]*?(%2f|\/)[^&]*?e[^&]*?(%00|\x00)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3238; reference:url,osvdb.org/show/osvdb/92793; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2013-2.php; classtype:attempted-admin; sid:26547; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"|2F|wp|2D|login|2E|php"; detection_filter:track by_src, count 26, seconds 60; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:26557; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; http_uri; content:"&#0000000000000000000000000000000000000000000001111|3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:26593; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Encoding:"; content:"Accept-Encoding:|0D 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-1305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-039; classtype:attempted-dos; sid:26632; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/syslog/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58385; reference:cve,2012-5206; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91031; classtype:attempted-recon; sid:26669; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/download?"; content:"Name=",nocase; content:"../",distance 0; pcre:"/[?&](path|file)Name=[^&]*?\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58385; reference:cve,2012-5211; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91036; classtype:attempted-recon; sid:26794; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"operation=",nocase; content:"paths",nocase; pcre:"/(^|&)paths(%5b|\x5b)(%5d|\x5d)=[^&]*?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-recon; sid:26797; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"uploadFile",nocase; content:"uploadPath",nocase; pcre:"/uploadPath[^-]+?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-admin; sid:26798; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FosWiki and TWiki MAKETEXT macro memory consumption denial of service attempt"; flow:to_server,established; http_cookie; content:"WIKISID="; http_client_body; content:"MAKETEXT"; content:"%5b%5f"; pcre:"/\%5b\%5f[0-9]{16}/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,56950; reference:cve,2012-6329; reference:cve,2012-6330; reference:url,foswiki.org/Support/SecurityAlert-CVE-2012-6330; reference:url,osvdb.org/show/osvdb/88410; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329; classtype:attempted-dos; sid:26905; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_uri; content:"/twiki/"; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26907; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/twiki/"; http_client_body; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26908; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SERVER-WEBAPP SAP ConfigServlet command execution attempt"; flow:to_server,established; http_uri; content:"/ctc/servlet/ConfigServlet"; content:"param=com.sap.ctc.util.FileSystemConfig",distance 0; content:"EXECUTE_CMD",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf; classtype:attempted-admin; sid:26929; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link DIR-300/DIR-600 unauthenticated remote command execution attempt"; flow:to_server,established; http_method; content:"POST",depth 4,nocase; http_uri; content:"/command.php"; http_client_body; content:"cmd=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57734; reference:url,exploit-db.com/exploits/24453/; reference:url,osvdb.org/show/osvdb/89861; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:26953; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mfunc"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26990; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"dynamic-cached-content"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26991; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mclude"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26992; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27018; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"..|5C|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27019; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27020; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27028; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php"; http_client_body; content:"language=",nocase; content:"..|5C|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27029; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php"; http_client_body; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27030; rev:2; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"&&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27104; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27105; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DokuWiki PHP file inclusion attempt"; flow:to_server,established; http_uri; content:"/doku.php?",nocase; content:"config_cascade[main][default][]="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35095; reference:cve,2009-1960; reference:url,osvdb.org/show/osvdb/54740; classtype:web-application-attack; sid:27226; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php"; flow:to_server,established; http_uri; content:"SezHooTabsAndActions.php"; content:"IP=",nocase; pcre:"/IP=(https?|ftps?)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31756; classtype:web-application-attack; sid:27284; rev:1; )
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Gazi Download Portal down_indir.asp SQL injection attempt"; flow:established,to_server; http_uri; content:"/down_indir.asp?"; content:"id=",nocase; pcre:"/id=((UNION|DELETE|ASCII)?\s*SELECT.*?FROM|UPDATE.*?SET)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23714; reference:cve,2007-2810; classtype:web-application-attack; sid:27285; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link DIR-300/DIR-600 unauthenticated remote command execution attempt"; flow:to_server,established; http_method; content:"POST",depth 4,nocase; http_uri; content:"/command.php"; http_client_body; content:"cmd=",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,57734; reference:url,exploit-db.com/exploits/24453/; reference:url,osvdb.org/show/osvdb/89861; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:26953; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mfunc"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26990; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"dynamic-cached-content"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26991; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mclude"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26992; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27018; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"..|5C|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27019; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27020; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27028; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php"; http_client_body; content:"language=",nocase; content:"..|5C|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27029; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php"; http_client_body; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27030; rev:2; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"&&"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27104; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"|3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27105; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DokuWiki PHP file inclusion attempt"; flow:to_server,established; http_uri; content:"/doku.php?",nocase; content:"config_cascade[main][default][]="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35095; reference:cve,2009-1960; reference:url,osvdb.org/show/osvdb/54740; classtype:web-application-attack; sid:27226; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php"; flow:to_server,established; http_uri; content:"SezHooTabsAndActions.php"; content:"IP=",nocase; pcre:"/IP=(https?|ftps?)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31756; classtype:web-application-attack; sid:27284; rev:1; )
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Gazi Download Portal down_indir.asp SQL injection attempt"; flow:established,to_server; http_uri; content:"/down_indir.asp?"; content:"id=",nocase; pcre:"/id=((UNION|DELETE|ASCII)?\s*SELECT.*?FROM|UPDATE.*?SET)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23714; reference:cve,2007-2810; classtype:web-application-attack; sid:27285; rev:1; )
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21064 ( msg:"SQL Ingres Database uuid_from_char buffer overflow attempt"; flow:to_server,established; content:"uuid_from_char"; pcre:"/uuid_from_char\s*?\(\s*?[\x22\x27][^\x22\x27]{37}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,24585; reference:cve,2007-3338; reference:url,supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp; reference:url,www.ngssoftware.com/advisories/high-risk-vulnerability-in-ingres-stack-overflow; classtype:attempted-admin; sid:12027; rev:7; )
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 7210 ( msg:"SQL SAP MaxDB shell command injection attempt"; flow:to_server,established; content:"exec_sdbinfo"; pcre:"/exec_sdbinfo\s+[\x26\x3b\x7c\x3e\x3c]/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,27206; reference:cve,2008-0244; classtype:attempted-admin; sid:13356; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SQL IBM DB2 Universal Database xmlquery buffer overflow attempt"; flow:to_server,established; content:"xmlquery"; content:"select ",nocase; pcre:"/select\s+xmlquery\s*\x28\s*(\x27|\x22)[^\x27\x22]{512}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service drda,service mysql; reference:bugtraq,29601; reference:cve,2008-3854; classtype:attempted-user; sid:14991; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SQL IBM DB2 Universal Database xmlquery buffer overflow attempt"; flow:to_server,established; content:"xmlquery"; content:"select ",nocase; pcre:"/select\s+xmlquery\s*\x28\s*(\x27|\x22)[^\x27\x22]{512}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:drda, mysql; reference:bugtraq,29601; reference:cve,2008-3854; classtype:attempted-user; sid:14991; rev:3; )
 alert tcp any any -> $SQL_SERVERS 1433 ( msg:"SQL WinCC DB default password security bypass attempt"; flow:to_server,established; content:"WinCCConnect"; content:"2WSXcder",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-2772; reference:url,support.automation.siemens.com/WW/view/en/43876783; classtype:attempted-user; sid:17044; rev:3; )
-alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow"; flow:to_server, established; content:" REPEAT|28|",nocase; content:",",distance 0; byte_test:10,>,1000,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service drda; reference:bugtraq,37976; reference:cve,2010-0462; classtype:attempted-admin; sid:17209; rev:3; )
+alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 ( msg:"SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow"; flow:to_server, established; content:" REPEAT|28|",nocase; content:",",distance 0; byte_test:10,>,1000,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop; service:drda; reference:bugtraq,37976; reference:cve,2010-0462; classtype:attempted-admin; sid:17209; rev:3; )
 alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16; )
diff --git a/src/detection/detection_util.cc b/src/detection/detection_util.cc
index 4138118a3842b26548770025fa0fe7c0ef8058fb..087ac199ef33e2e0fd3baf5ccfe4c65cc1fbb616 100644 (file)
--- a/src/detection/detection_util.cc
+++ b/src/detection/detection_util.cc
@@ -108,7 +108,7 @@ void EventTrace_Init()
         char time_buf[26];
         ctime_r(&now, time_buf);
 
-        tlog = TextLog_Init ("event_trace.txt", 128, 8*1024*1024);
+        tlog = TextLog_Init ("event_trace.txt", 4*1024, 8*1024*1024);
         TextLog_Print(tlog, "\nTrace started at %s", time_buf);
         TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max);
     }
diff --git a/src/detection/fp_create.cc b/src/detection/fp_create.cc
index d438f5b4d8f5ef7a274d5c67d9565c95019a664d..046d1b711fb190992f342d91c86eadad654355f6 100644 (file)
--- a/src/detection/fp_create.cc
+++ b/src/detection/fp_create.cc
@@ -415,7 +415,7 @@ static int fpFinishPortGroupRule(
     pmx->pmd = pmd;
 
     Mpse::PatternDescriptor desc(
-        pmd->is_no_case(), pmd->is_negated(), pmd->is_literal(), pmd->flags);
+        pmd->is_no_case(), pmd->is_negated(), pmd->is_literal(), pmd->mpse_flags);
 
     pg->mpse[pmd->pm_type]->add_pattern(sc, (uint8_t*)pattern, pattern_length, desc, pmx);
 
@@ -491,7 +491,7 @@ static void fpAddAlternatePatterns(SnortConfig* sc, PortGroup* pg,
     pmx->pmd = pmd;
 
     Mpse::PatternDescriptor desc(
-        pmd->is_no_case(), pmd->is_negated(), pmd->is_literal(), pmd->flags);
+        pmd->is_no_case(), pmd->is_negated(), pmd->is_literal(), pmd->mpse_flags);
 
     pg->mpse[pmd->pm_type]->add_pattern(
         sc, (uint8_t*)pmd->pattern_buf, pmd->pattern_size, desc, pmx);
@@ -511,7 +511,8 @@ static int fpAddPortGroupRule(
         return -1;
 
     OptFpList* next = nullptr;
-    pmv = get_fp_content(otn, next, srvc);
+    bool only_literal = !MpseManager::is_regex_capable(fp->get_search_api());
+    pmv = get_fp_content(otn, next, srvc, only_literal);
 
     if ( !pmv.empty() )
     {
diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc
index eeb8550495fd714de995e93aa28059c1e19ca8d4..6103e1ad2a797935156b357bfe11fb059109ba7c 100644 (file)
--- a/src/detection/fp_utils.cc
+++ b/src/detection/fp_utils.cc
@@ -63,11 +63,15 @@ static void clear_fast_pattern_only(OptFpList* ofl)
         pmd->fp_only = 0;
 }
 
-static bool pmd_can_be_fp(PatternMatchData* pmd, CursorActionType cat)
+static bool pmd_can_be_fp(
+    PatternMatchData* pmd, CursorActionType cat, bool only_literals)
 {
     if ( cat <= CAT_SET_OTHER )
         return false;
 
+    if ( only_literals and !pmd->is_literal() )
+        return false;
+
     return pmd->can_be_fp();
 }
 
@@ -223,7 +227,7 @@ struct FpSelector
     FpSelector()
     { cat = CAT_NONE; pmd = nullptr; size = 0; }
 
-    bool is_better_than(FpSelector&, bool, RuleDirection);
+    bool is_better_than(FpSelector&, bool srvc, RuleDirection, bool only_literals = false);
 };
 
 FpSelector::FpSelector(CursorActionType c, PatternMatchData* p)
@@ -235,9 +239,10 @@ FpSelector::FpSelector(CursorActionType c, PatternMatchData* p)
     size = flp_trim(pmd->pattern_buf, pmd->pattern_size, nullptr);
 }
 
-bool FpSelector::is_better_than(FpSelector& rhs, bool srvc, RuleDirection dir)
+bool FpSelector::is_better_than(
+    FpSelector& rhs, bool srvc, RuleDirection dir, bool only_literals)
 {
-    if ( !pmd_can_be_fp(pmd, cat) )
+    if ( !pmd_can_be_fp(pmd, cat, only_literals) )
     {
         if ( pmd->is_fast_pattern() )
         {
@@ -293,7 +298,8 @@ bool FpSelector::is_better_than(FpSelector& rhs, bool srvc, RuleDirection dir)
 // public methods
 //--------------------------------------------------------------------------
 
-PatternMatchVector get_fp_content(OptTreeNode* otn, OptFpList*& next, bool srvc)
+PatternMatchVector get_fp_content(
+    OptTreeNode* otn, OptFpList*& next, bool srvc, bool only_literals)
 {
     CursorActionType curr_cat = CAT_SET_RAW;
     FpSelector best;
@@ -329,7 +335,7 @@ PatternMatchVector get_fp_content(OptTreeNode* otn, OptFpList*& next, bool srvc)
 
         FpSelector curr(curr_cat, tmp);
 
-        if ( curr.is_better_than(best, srvc, dir) )
+        if ( curr.is_better_than(best, srvc, dir, only_literals) )
         {
             best = curr;
             next = ofl->next;
diff --git a/src/detection/fp_utils.h b/src/detection/fp_utils.h
index 916309b8862f4b7930fd58fbdf2fa734cc870912..3e0f1ff2b887c16341742d4f2a768ac80c65a678 100644 (file)
--- a/src/detection/fp_utils.h
+++ b/src/detection/fp_utils.h
@@ -35,7 +35,8 @@ void validate_fast_pattern(OptTreeNode*);
 int flp_trim(const char* p, int plen, const char** buff);
 bool set_fp_content(OptTreeNode*);
 
-std::vector <PatternMatchData*> get_fp_content(OptTreeNode*, OptFpList*&, bool srvc);
+std::vector <PatternMatchData*> get_fp_content(
+    OptTreeNode*, OptFpList*&, bool srvc, bool only_literals);
 
 #endif
 
diff --git a/src/detection/pattern_match_data.h b/src/detection/pattern_match_data.h
index 9e814dc1e08102a50ff084abf52b8959d8b2dbda..f9ba7069fc7607bffa1930008c236df4a97d9f3b 100644 (file)
--- a/src/detection/pattern_match_data.h
+++ b/src/detection/pattern_match_data.h
@@ -64,6 +64,8 @@ struct PatternMatchData
     };
 
     uint16_t flags;          // from above enum
+    uint16_t mpse_flags;     // passed through to mpse
+
     uint16_t fp_offset;
     uint16_t fp_length;
 
diff --git a/src/framework/mpse.h b/src/framework/mpse.h
index ba5f530f43d300c15c48d35879fd5297c8f5d767..7c2139c113815592fb823ee39ab74bca37450d24 100644 (file)
--- a/src/framework/mpse.h
+++ b/src/framework/mpse.h
@@ -99,10 +99,14 @@ typedef Mpse* (* MpseNewFunc)(
 
 typedef void (* MpseDelFunc)(Mpse*);
 
+#define MPSE_BASE   0x00
+#define MPSE_TRIM   0x01
+#define MPSE_REGEX  0x02
+
 struct MpseApi
 {
     BaseApi base;
-    bool trim; // set true for NFAs to trim leading \0
+    uint32_t flags;
 
     MpseOptFunc activate;
     MpseOptFunc setup;
diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt
index 15566a493f90589822fa805740a1319954282372..a32a36de0703f3442fe25816597dc72379a0c36e 100644 (file)
--- a/src/ips_options/CMakeLists.txt
+++ b/src/ips_options/CMakeLists.txt
@@ -65,6 +65,7 @@ set (IPS_SOURCES
     ips_pkt_data.cc
     ips_reference.cc
     ips_replace.cc
+    ips_service.cc
     ips_so.cc
 )
 
diff --git a/src/ips_options/Makefile.am b/src/ips_options/Makefile.am
index 87c85ee6502eb264d8dedd057c2baa6ab2e5b0e0..2eb611f3eb9035a90355bf2e75e53ce54a20ca49 100644 (file)
--- a/src/ips_options/Makefile.am
+++ b/src/ips_options/Makefile.am
@@ -58,6 +58,7 @@ ips_pcre.cc ips_pcre.h \
 ips_pkt_data.cc \
 ips_reference.cc \
 ips_replace.cc \
+ips_service.cc \
 ips_so.cc
 
 if HAVE_HYPERSCAN
diff --git a/src/ips_options/ips_metadata.cc b/src/ips_options/ips_metadata.cc
index bde9eb7eebf5f46d051aebe871427559eadb77bf..89405bb1234aa9425615c970b5e6b31bd52b9031 100644 (file)
--- a/src/ips_options/ips_metadata.cc
+++ b/src/ips_options/ips_metadata.cc
@@ -24,8 +24,6 @@
 #include "framework/decode_data.h"
 #include "framework/ips_option.h"
 #include "framework/module.h"
-#include "log/messages.h"
-#include "parser/parse_conf.h"
 
 using namespace std;
 
@@ -37,11 +35,8 @@ using namespace std;
 
 static const Parameter s_params[] =
 {
-    { "service", Parameter::PT_STRING, nullptr, nullptr,
-      "service name" },
-
     { "*", Parameter::PT_STRING, nullptr, nullptr,
-      "additional parameters not used by snort" },
+      "comma-separated list of arbitrary name value pairs" },
 
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
@@ -52,40 +47,13 @@ static const Parameter s_params[] =
 class MetadataModule : public Module
 {
 public:
-    MetadataModule() : Module(s_name, s_help, s_params)
-    { snort_config = nullptr; }
-
+    MetadataModule() : Module(s_name, s_help, s_params) { }
     bool set(const char*, Value&, SnortConfig*) override;
-    bool begin(const char*, int, SnortConfig*) override;
-
-    struct SnortConfig* snort_config;
-    vector<string> services;
 };
 
-bool MetadataModule::begin(const char*, int, SnortConfig* sc)
-{
-    snort_config = sc;
-    services.clear();
-    return true;
-}
-
 bool MetadataModule::set(const char*, Value& v, SnortConfig*)
 {
-    if ( v.is("service") )
-    {
-        const char* s = v.get_string();
-
-        for ( auto p : services )
-        {
-            if ( p == s )
-            {
-                ParseWarning(WARN_RULES, "repeated metadata service '%s'", s);
-                return true;
-            }
-        }
-        services.push_back(s);
-    }
-    else if ( !v.is("*") )  // ignore other metadata
+    if ( !v.is("*") )
         return false;
 
     return true;
@@ -105,13 +73,8 @@ static void mod_dtor(Module* m)
     delete m;
 }
 
-static IpsOption* metadata_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* metadata_ctor(Module*, OptTreeNode*)
 {
-    MetadataModule* m = (MetadataModule*)p;
-
-    for ( auto service : m->services )
-        add_service_to_otn(m->snort_config, otn, service.c_str());
-
     return nullptr;
 }
 
diff --git a/src/ips_options/ips_options.cc b/src/ips_options/ips_options.cc
index 66113b2517a916cc23e66e2da6584dae77a40490..1a470f3602410729d2542c361dabfaa1a3475b24 100644 (file)
--- a/src/ips_options/ips_options.cc
+++ b/src/ips_options/ips_options.cc
@@ -42,6 +42,7 @@ extern const BaseApi* ips_regex;
 extern const BaseApi* ips_sd_pattern;
 #endif
 extern const BaseApi* ips_replace;
+extern const BaseApi* ips_service;
 extern const BaseApi* ips_sha256;
 extern const BaseApi* ips_sha512;
 extern const BaseApi* ips_so;
@@ -104,6 +105,7 @@ static const BaseApi* ips_options[] =
     ips_sd_pattern,
 #endif
     ips_replace,
+    ips_service,
     ips_sha256,
     ips_sha512,
     ips_so,
diff --git a/src/ips_options/ips_regex.cc b/src/ips_options/ips_regex.cc
index f54683bdaa416172d47a0d8b36c026dba0309766..2eaebae50490d3e35a418095306ddaabc0b8ab27 100644 (file)
--- a/src/ips_options/ips_regex.cc
+++ b/src/ips_options/ips_regex.cc
@@ -50,7 +50,6 @@ struct RegexConfig
     hs_database_t* db;
     std::string re;
     PatternMatchData pmd;
-    uint16_t hs_flags;
 
     RegexConfig()
     { reset(); }
@@ -60,7 +59,6 @@ struct RegexConfig
         memset(&pmd, 0, sizeof(pmd));
         re.clear();
         db = nullptr;
-        hs_flags = 0;
     }
 };
 
@@ -134,7 +132,7 @@ RegexOption::~RegexOption()
 
 uint32_t RegexOption::hash() const
 {
-    uint32_t a = config.pmd.flags, b = config.hs_flags, c = 0;
+    uint32_t a = config.pmd.flags, b = config.pmd.mpse_flags, c = 0;
     mix_str(a, b, c, config.re.c_str());
     mix_str(a, b, c, get_name());
     finalize(a, b, c);
@@ -152,7 +150,7 @@ bool RegexOption::operator==(const IpsOption& ips) const
 
     if ( config.re == rhs.config.re and
         config.pmd.flags == rhs.config.pmd.flags and
-        config.hs_flags == rhs.config.hs_flags )
+        config.pmd.mpse_flags == rhs.config.pmd.mpse_flags )
         return true;
 #endif
     return this == &ips;
@@ -216,12 +214,12 @@ static const Parameter s_params[] =
     { "fast_pattern", Parameter::PT_IMPLIED, nullptr, nullptr,
       "use this content in the fast pattern matcher instead of the content selected by default" },
 
-    { "nocase", Parameter::PT_IMPLIED, nullptr, nullptr,
-      "case insensitive match" },
-
     { "multiline", Parameter::PT_IMPLIED, nullptr, nullptr,
       "^ and $ anchors match any newlines in data" },
 
+    { "nocase", Parameter::PT_IMPLIED, nullptr, nullptr,
+      "case insensitive match" },
+
     { "relative", Parameter::PT_IMPLIED, nullptr, nullptr,
       "start search from end of last match instead of start of buffer" },
 
@@ -261,7 +259,7 @@ bool RegexModule::begin(const char*, int, SnortConfig*)
 {
     config.reset();
     config.pmd.flags |= PatternMatchData::NO_FP;
-    config.hs_flags |= HS_FLAG_SINGLEMATCH;
+    config.pmd.mpse_flags |= HS_FLAG_SINGLEMATCH;
     return true;
 }
 
@@ -275,7 +273,7 @@ bool RegexModule::set(const char*, Value& v, SnortConfig*)
         config.re.erase(config.re.length()-1, 1);
     }
     else if ( v.is("dotall") )
-        config.hs_flags |= HS_FLAG_DOTALL;
+        config.pmd.mpse_flags |= HS_FLAG_DOTALL;
 
     else if ( v.is("fast_pattern") )
     {
@@ -283,11 +281,11 @@ bool RegexModule::set(const char*, Value& v, SnortConfig*)
         config.pmd.flags |= PatternMatchData::FAST_PAT;
     }
     else if ( v.is("multiline") )
-        config.hs_flags |= HS_FLAG_MULTILINE;
+        config.pmd.mpse_flags |= HS_FLAG_MULTILINE;
 
     else if ( v.is("nocase") )
     {
-        config.hs_flags |= HS_FLAG_CASELESS;
+        config.pmd.mpse_flags |= HS_FLAG_CASELESS;
         config.pmd.set_no_case();
     }
     else if ( v.is("relative") )
@@ -309,7 +307,7 @@ bool RegexModule::end(const char*, int, SnortConfig*)
 
     hs_compile_error_t* err = nullptr;
 
-    if ( hs_compile(config.re.c_str(), config.hs_flags, HS_MODE_BLOCK,
+    if ( hs_compile(config.re.c_str(), config.pmd.mpse_flags, HS_MODE_BLOCK,
         nullptr, &config.db, &err) or !config.db )
     {
         ParseError("can't compile regex '%s'", config.re.c_str());
diff --git a/src/ips_options/ips_service.cc b/src/ips_options/ips_service.cc
new file mode 100644 (file)
index 0000000..c705003
--- /dev/null
+++ b/src/ips_options/ips_service.cc
@@ -0,0 +1,139 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// ips_service.cc author Russ Combs <rucombs@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "framework/decode_data.h"
+#include "framework/ips_option.h"
+#include "framework/module.h"
+#include "log/messages.h"
+#include "parser/parse_conf.h"
+
+using namespace std;
+
+#define s_name "service"
+
+//-------------------------------------------------------------------------
+// module
+//-------------------------------------------------------------------------
+
+static const Parameter s_params[] =
+{
+    { "*", Parameter::PT_STRING, nullptr, nullptr,
+      "one or more comma-separated service names" },
+
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
+#define s_help \
+    "rule option to specify list of services for grouping rules"
+
+class ServiceModule : public Module
+{
+public:
+    ServiceModule() : Module(s_name, s_help, s_params)
+    { snort_config = nullptr; }
+
+    bool set(const char*, Value&, SnortConfig*) override;
+    bool begin(const char*, int, SnortConfig*) override;
+
+    struct SnortConfig* snort_config;
+    vector<string> services;
+};
+
+bool ServiceModule::begin(const char*, int, SnortConfig* sc)
+{
+    snort_config = sc;
+    services.clear();
+    return true;
+}
+
+bool ServiceModule::set(const char*, Value& v, SnortConfig*)
+{
+    if ( !v.is("*") )
+        return false;
+
+    std::string svc = v.get_string();
+
+    for ( auto p : services )
+    {
+        if ( p == svc )
+        {
+            ParseWarning(WARN_RULES, "repeated service '%s'", svc.c_str());
+            return true;
+        }
+    }
+    services.push_back(svc);
+
+    return true;
+}
+
+//-------------------------------------------------------------------------
+// api methods
+//-------------------------------------------------------------------------
+
+static Module* mod_ctor()
+{
+    return new ServiceModule;
+}
+
+static void mod_dtor(Module* m)
+{
+    delete m;
+}
+
+static IpsOption* service_ctor(Module* p, OptTreeNode* otn)
+{
+    ServiceModule* m = (ServiceModule*)p;
+
+    for ( auto service : m->services )
+        add_service_to_otn(m->snort_config, otn, service.c_str());
+
+    return nullptr;
+}
+
+static const IpsApi service_api =
+{
+    {
+        PT_IPS_OPTION,
+        sizeof(IpsApi),
+        IPSAPI_VERSION,
+        0,
+        API_RESERVED,
+        API_OPTIONS,
+        s_name,
+        s_help,
+        mod_ctor,
+        mod_dtor
+    },
+    OPT_TYPE_META,
+    0, PROTO_BIT__NONE,
+    nullptr,
+    nullptr,
+    nullptr,
+    nullptr,
+    service_ctor,
+    nullptr,
+    nullptr
+};
+
+const BaseApi* ips_service = &service_api.base;
+
diff --git a/src/ips_options/test/ips_regex_test.cc b/src/ips_options/test/ips_regex_test.cc
index 231dcee796e9570f6828d2013395f4fcc05b313f..1f72cdde8c053b8194482be16203d01c1d747f1d 100644 (file)
--- a/src/ips_options/test/ips_regex_test.cc
+++ b/src/ips_options/test/ips_regex_test.cc
@@ -216,12 +216,12 @@ TEST(ips_regex_module, config_pass)
     CHECK(mod->set(ips_regex->name, vs, nullptr));
 
     Value vb(true);
-    p = get_param(mod, "nocase");
+    p = get_param(mod, "dotall");
     CHECK(p);
     vb.set(p);
     CHECK(mod->set(ips_regex->name, vb, nullptr));
 
-    p = get_param(mod, "dotall");
+    p = get_param(mod, "fast_pattern");
     CHECK(p);
     vb.set(p);
     CHECK(mod->set(ips_regex->name, vb, nullptr));
@@ -231,24 +231,34 @@ TEST(ips_regex_module, config_pass)
     vb.set(p);
     CHECK(mod->set(ips_regex->name, vb, nullptr));
 
+    p = get_param(mod, "nocase");
+    CHECK(p);
+    vb.set(p);
+    CHECK(mod->set(ips_regex->name, vb, nullptr));
+
     p = get_param(mod, "relative");
     CHECK(p);
     vb.set(p);
     CHECK(mod->set(ips_regex->name, vb, nullptr));
 }
 
-TEST(ips_regex_module, config_fail)
+TEST(ips_regex_module, config_fail_name)
+{
+    Value vs("unknown");
+    Parameter bad { "bad", Parameter::PT_STRING, nullptr, nullptr, "bad" };
+    vs.set(&bad);
+    CHECK(!mod->set(ips_regex->name, vs, nullptr));
+    expect = 1;
+    end = false;
+}
+
+TEST(ips_regex_module, config_fail_regex)
 {
     Value vs("[[:fubar:]]");
     const Parameter* p = get_param(mod, "~re");
     CHECK(p);
     vs.set(p);
     CHECK(mod->set(ips_regex->name, vs, nullptr));
-
-    Parameter bad { "bad", Parameter::PT_STRING, nullptr, nullptr, "bad" };
-    vs.set(&bad);
-    CHECK(!mod->set(ips_regex->name, vs, nullptr));
-
     expect = 1;
     end = false;
 }
diff --git a/src/log/text_log.cc b/src/log/text_log.cc
index 3650214283e9deca93573bb9133193896f4c0c5d..61df1f8e8f2043b5c928a4f099faefb4be7e335e 100644 (file)
--- a/src/log/text_log.cc
+++ b/src/log/text_log.cc
@@ -39,9 +39,8 @@
 
 #include "log.h"
 
-/* some reasonable minimums */
-#define MIN_BUF  (1* K_BYTES)
-#define MIN_FILE (MIN_BUF)
+/* a reasonable minimum */
+#define MIN_BUF  (4* K_BYTES)
 
 struct TextLog
 {
@@ -115,10 +114,6 @@ TextLog* TextLog_Init(
 
     if ( maxBuf < MIN_BUF )
         maxBuf = MIN_BUF;
-    if ( maxFile < MIN_FILE )
-        maxFile = MIN_FILE;
-    if ( maxFile < maxBuf )
-        maxFile = maxBuf;
 
     txt = (TextLog*)snort_alloc(sizeof(TextLog)+maxBuf);
 
@@ -182,7 +177,8 @@ bool TextLog_Flush(TextLog* const txt)
 
     if ( !txt->pos )
         return false;
-    if ( txt->size + txt->pos > txt->maxFile )
+
+    if ( txt->maxFile and txt->size + txt->pos > txt->maxFile )
         TextLog_Roll(txt);
 
     ok = fwrite(txt->buf, txt->pos, 1, txt->file);
diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc
index b1146675c4974f29a119ff8e495036819b48873a..c643b3453b2a56ab35945719ba1ee9d5d7944777 100644 (file)
--- a/src/loggers/alert_csv.cc
+++ b/src/loggers/alert_csv.cc
@@ -361,17 +361,11 @@ static const Parameter s_params[] =
       "selected fields will be output in given order left to right" },
 
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { "separator", Parameter::PT_STRING, nullptr, ", ",
       "separate fields with this character sequence" },
 
-    // FIXIT-L provide PT_UNITS that converts to multiplier automatically
-    // or just delete these and provide KB = 1024, MB = 1024*KB, etc. in
-    // snort_defaults.lua
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "bytes | KB | MB | GB" },
-
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
@@ -385,13 +379,11 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
     bool file;
     string sep;
     unsigned long limit;
-    unsigned units;
     vector<CsvFunc> fields;
 };
 
@@ -411,14 +403,11 @@ bool CsvModule::set(const char*, Value& v, SnortConfig*)
     }
 
     else if ( v.is("limit") )
-        limit = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else if ( v.is("separator") )
         sep = v.get_string();
 
-    else if ( v.is("units") )
-        units = v.get_long();
-
     else
         return false;
 
@@ -429,7 +418,6 @@ bool CsvModule::begin(const char*, int, SnortConfig*)
 {
     file = false;
     limit = 0;
-    units = 0;
     sep = ", ";
 
     if ( fields.empty() )
@@ -444,14 +432,6 @@ bool CsvModule::begin(const char*, int, SnortConfig*)
     return true;
 }
 
-bool CsvModule::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
-    return true;
-}
-
 //-------------------------------------------------------------------------
 // logger stuff
 //-------------------------------------------------------------------------
diff --git a/src/loggers/alert_fast.cc b/src/loggers/alert_fast.cc
index 7c45f4a529c9ec888f5557e1fd6c9d5517ef28ef..a44687a0e936580c8b716457e18fcfeef73e36b5 100644 (file)
--- a/src/loggers/alert_fast.cc
+++ b/src/loggers/alert_fast.cc
@@ -80,10 +80,7 @@ static const Parameter s_params[] =
       "output packet dump with alert" },
 
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
-
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "bytes | KB | MB | GB" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
@@ -98,12 +95,10 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
     bool file;
     unsigned long limit;
-    unsigned units;
     bool packet;
 };
 
@@ -116,10 +111,7 @@ bool FastModule::set(const char*, Value& v, SnortConfig*)
         packet = v.get_bool();
 
     else if ( v.is("limit") )
-        limit = v.get_long();
-
-    else if ( v.is("units") )
-        units = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else
         return false;
@@ -131,19 +123,10 @@ bool FastModule::begin(const char*, int, SnortConfig*)
 {
     file = false;
     limit = 0;
-    units = 0;
     packet = false;
     return true;
 }
 
-bool FastModule::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
-    return true;
-}
-
 //-------------------------------------------------------------------------
 // helper
 
diff --git a/src/loggers/alert_full.cc b/src/loggers/alert_full.cc
index 50ae2fbdabc82505e8485d6a040ff1718e3068e7..95ee516ee0cc496cfed574bd97917df0f485dfdd 100644 (file)
--- a/src/loggers/alert_full.cc
+++ b/src/loggers/alert_full.cc
@@ -67,10 +67,7 @@ static const Parameter s_params[] =
       "output to " F_NAME " instead of stdout" },
 
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
-
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "limit is in bytes | KB | MB | GB" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
@@ -85,12 +82,10 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
     bool file;
     unsigned long limit;
-    unsigned units;
 };
 
 bool FullModule::set(const char*, Value& v, SnortConfig*)
@@ -99,10 +94,7 @@ bool FullModule::set(const char*, Value& v, SnortConfig*)
         file = v.get_bool();
 
     else if ( v.is("limit") )
-        limit = v.get_long();
-
-    else if ( v.is("units") )
-        units = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else
         return false;
@@ -114,15 +106,6 @@ bool FullModule::begin(const char*, int, SnortConfig*)
 {
     file = false;
     limit = 0;
-    units = 0;
-    return true;
-}
-
-bool FullModule::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
     return true;
 }
 
diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc
index 5c1e6e3146e3333e7fc40c485fdce06df3e448c8..0b4fe995580a25c781758774309689cf463a3458 100644 (file)
--- a/src/loggers/log_hext.cc
+++ b/src/loggers/log_hext.cc
@@ -107,10 +107,7 @@ static const Parameter s_params[] =
       "output all full packets if true, else just TCP payload" },
 
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
-
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "bytes | KB | MB | GB" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { "width", Parameter::PT_INT, "0:", "20",
       "set line width (0 is unlimited)" },
@@ -125,13 +122,11 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
     bool file;
     bool raw;
     unsigned long limit;
-    unsigned units;
     unsigned width;
 };
 
@@ -144,10 +139,7 @@ bool HextModule::set(const char*, Value& v, SnortConfig*)
         raw = v.get_bool();
 
     else if ( v.is("limit") )
-        limit = v.get_long();
-
-    else if ( v.is("units") )
-        units = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else if ( v.is("width") )
         width = v.get_long();
@@ -163,19 +155,10 @@ bool HextModule::begin(const char*, int, SnortConfig*)
     file = false;
     raw = false;
     limit = 0;
-    units = 0;
     width = 20;
     return true;
 }
 
-bool HextModule::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
-    return true;
-}
-
 //-------------------------------------------------------------------------
 // logger stuff
 //-------------------------------------------------------------------------
diff --git a/src/loggers/log_pcap.cc b/src/loggers/log_pcap.cc
index 40ddaf3a2fd99deb11bebfb7a7e62b56421bcd8a..6754c41650d035344c89f00f80e080a20e228f03 100644 (file)
--- a/src/loggers/log_pcap.cc
+++ b/src/loggers/log_pcap.cc
@@ -74,10 +74,7 @@ static void TcpdumpRollLogFile(LtdConfig*);
 static const Parameter s_params[] =
 {
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
-
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "bytes | KB | MB | GB" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
@@ -92,20 +89,15 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
-    unsigned limit;
-    unsigned units;
+    unsigned long limit;
 };
 
 bool TcpdumpModule::set(const char*, Value& v, SnortConfig*)
 {
     if ( v.is("limit") )
-        limit = v.get_long();
-
-    else if ( v.is("units") )
-        units = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else
         return false;
@@ -116,15 +108,6 @@ bool TcpdumpModule::set(const char*, Value& v, SnortConfig*)
 bool TcpdumpModule::begin(const char*, int, SnortConfig*)
 {
     limit = 0;
-    units = 0;
-    return true;
-}
-
-bool TcpdumpModule::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
     return true;
 }
 
diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc
index a8cc4e63d28bbf77a478ed470950b5fb2471e8bd..21fc0022ffb366a19d76c53efd1a6a2aac2f6086 100644 (file)
--- a/src/loggers/unified2.cc
+++ b/src/loggers/unified2.cc
@@ -62,8 +62,6 @@ struct Unified2Config
 {
     unsigned int limit;
     int nostamp;
-    int mpls_event_types;
-    int vlan_event_types;
 };
 
 struct U2
@@ -628,20 +626,11 @@ static void Unified2Write(uint8_t* buf, uint32_t buf_len, Unified2Config* config
 static const Parameter s_params[] =
 {
     { "limit", Parameter::PT_INT, "0:", "0",
-      "set limit (0 is unlimited)" },
-
-    { "units", Parameter::PT_ENUM, "B | K | M | G", "B",
-      "limit multiplier" },
+      "set maximum size in MB before rollover (0 is unlimited)" },
 
     { "nostamp", Parameter::PT_BOOL, nullptr, "true",
       "append file creation time to name (in Unix Epoch format)" },
 
-    { "mpls_event_types", Parameter::PT_BOOL, nullptr, "false",
-      "include mpls labels in events" },
-
-    { "vlan_event_types", Parameter::PT_BOOL, nullptr, "false",
-      "include vlan IDs in events" },
-
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
@@ -655,33 +644,20 @@ public:
 
     bool set(const char*, Value&, SnortConfig*) override;
     bool begin(const char*, int, SnortConfig*) override;
-    bool end(const char*, int, SnortConfig*) override;
 
 public:
     unsigned limit;
-    unsigned units;
     bool nostamp;
-    bool mpls;
-    bool vlan;
 };
 
 bool U2Module::set(const char*, Value& v, SnortConfig*)
 {
     if ( v.is("limit") )
-        limit = v.get_long();
-
-    else if ( v.is("units") )
-        units = v.get_long();
+        limit = v.get_long() * 1024 * 1024;
 
     else if ( v.is("nostamp") )
         nostamp = v.get_bool();
 
-    else if ( v.is("mpls_event_types") )
-        mpls = v.get_bool();
-
-    else if ( v.is("vlan_event_types") )
-        vlan = v.get_bool();
-
     else
         return false;
 
@@ -691,17 +667,7 @@ bool U2Module::set(const char*, Value& v, SnortConfig*)
 bool U2Module::begin(const char*, int, SnortConfig*)
 {
     limit = 0;
-    units = 0;
     nostamp = SnortConfig::output_no_timestamp();
-    mpls = vlan = false;
-    return true;
-}
-
-bool U2Module::end(const char*, int, SnortConfig*)
-{
-    while ( units-- )
-        limit *= 1024;
-
     return true;
 }
 
@@ -729,8 +695,6 @@ U2Logger::U2Logger(U2Module* m)
 {
     config.limit = m->limit;
     config.nostamp = m->nostamp;
-    config.mpls_event_types = m->mpls;
-    config.vlan_event_types = m->vlan;
 }
 
 U2Logger::~U2Logger()
diff --git a/src/main/modules.cc b/src/main/modules.cc
index 6e0823cab108b4b64305ef3d911f20577df9a717..0c9d33e603b272cfce865ff4405003af175a6f31 100644 (file)
--- a/src/main/modules.cc
+++ b/src/main/modules.cc
@@ -715,9 +715,6 @@ static const Parameter output_params[] =
     { "dump_payload_verbose", Parameter::PT_BOOL, nullptr, "false",
       "dumps raw packet starting at link layer (same as -X)" },
 
-    { "log_ipv6_extra_data", Parameter::PT_BOOL, nullptr, "false",
-      "log IPv6 source and destination addresses as unified2 extra data records" },
-
     { "event_trace", Parameter::PT_TABLE, output_event_trace_params, nullptr,
       "" },
 
@@ -779,10 +776,6 @@ bool OutputModule::set(const char*, Value& v, SnortConfig* sc)
     else if ( v.is("enable_packet_trace") )
         sc->enable_packet_trace = v.get_bool();
 
-    else if ( v.is("log_ipv6_extra_data") )
-        // FIXIT-M move to output|logging_flags
-        sc->log_ipv6_extra = v.get_bool() ? 0 : 1;
-
     else if ( v.is("quiet") )
         v.update_mask(sc->logging_flags, LOGGING_FLAG__QUIET);
 
diff --git a/src/main/snort_config.h b/src/main/snort_config.h
index 88adb16d6ab9d72b1f073f22d44478e4d05700b5..d75e6385ca3392ab783c919298957bb1df5ac506 100644 (file)
--- a/src/main/snort_config.h
+++ b/src/main/snort_config.h
@@ -169,7 +169,6 @@ public:
 #endif
     uint32_t logging_flags = 0;
 
-    uint8_t log_ipv6_extra = 0;
     uint16_t event_trace_max = 0;
     long int tagged_packet_limit = 256;
     bool enable_packet_trace = false;
@@ -466,9 +465,6 @@ public:
     static uint32_t get_event_log_id()
     { return snort_conf->event_log_id; }
 
-    static bool get_log_ip6_extra()
-    { return snort_conf->log_ipv6_extra; }
-
     static bool process_all_events()
     { return snort_conf->event_queue_config->process_all_events; }
 
diff --git a/src/managers/mpse_manager.cc b/src/managers/mpse_manager.cc
index bcb5c907ae3b36ce9838b339530fa175643e5559..3fca1852b34e239161516e4f2b7cfea0c789ad76 100644 (file)
--- a/src/managers/mpse_manager.cc
+++ b/src/managers/mpse_manager.cc
@@ -23,6 +23,7 @@
 
 #include "mpse_manager.h"
 
+#include <cassert>
 #include <list>
 
 #include "detection/fp_config.h"
@@ -129,36 +130,48 @@ void MpseManager::delete_search_engine(Mpse* eng)
 // the summary info is totaled by type for all instances
 void MpseManager::print_mpse_summary(const MpseApi* api)
 {
+    assert(api);
     api->print();
 }
 
 void MpseManager::activate_search_engine(const MpseApi* api, SnortConfig* sc)
 {
+    assert(api);
     if ( api->activate )
         api->activate(sc);
 }
 
 void MpseManager::setup_search_engine(const MpseApi* api, SnortConfig* sc)
 {
+    assert(api);
     if ( api->setup )
         api->setup(sc);
 }
 
 void MpseManager::start_search_engine(const MpseApi* api)
 {
+    assert(api);
     if ( api->start )
         api->start();
 }
 
 void MpseManager::stop_search_engine(const MpseApi* api)
 {
+    assert(api);
     if ( api->stop )
         api->stop();
 }
 
 bool MpseManager::search_engine_trim(const MpseApi* api)
 {
-    return api->trim;
+    assert(api);
+    return (api->flags & MPSE_TRIM) != 0;
+}
+
+bool MpseManager::is_regex_capable(const MpseApi* api)
+{
+    assert(api);
+    return (api->flags & MPSE_REGEX) != 0;
 }
 
 // was called during drop stats but actually commented out
diff --git a/src/managers/mpse_manager.h b/src/managers/mpse_manager.h
index 6f9221b1828cea9d073a54abb3f50f8dc6fca0a8..c998154a151c68536c10a6b590aa072657241be6 100644 (file)
--- a/src/managers/mpse_manager.h
+++ b/src/managers/mpse_manager.h
@@ -73,6 +73,7 @@ public:
     static void start_search_engine(const MpseApi*);
     static void stop_search_engine(const MpseApi*);
     static bool search_engine_trim(const MpseApi*);
+    static bool is_regex_capable(const MpseApi*);
     static void print_mpse_summary(const MpseApi*);
     static void print_search_engine_stats();
 
diff --git a/src/search_engines/ac_banded.cc b/src/search_engines/ac_banded.cc
index 381700d18074fb0a50de083cdee7f7f4d2800de8..84b6a3e683f01f9b5bc794759aaf2b484c555b86 100644 (file)
--- a/src/search_engines/ac_banded.cc
+++ b/src/search_engines/ac_banded.cc
@@ -120,7 +120,7 @@ static const MpseApi acb_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/ac_bnfa.cc b/src/search_engines/ac_bnfa.cc
index 496f93d4d0aa8bdf5041f4ff60ca62850d5f27fc..f5a09cead6c624a7fc27012909226b908a197c16 100644 (file)
--- a/src/search_engines/ac_bnfa.cc
+++ b/src/search_engines/ac_bnfa.cc
@@ -138,7 +138,7 @@ static const MpseApi bnfa_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/ac_full.cc b/src/search_engines/ac_full.cc
index fcfc3fdc82deb9c3377ad885ebb3bb66b9bb744d..093e2538b4752e210d5fc5c0676ddadfe010e509 100644 (file)
--- a/src/search_engines/ac_full.cc
+++ b/src/search_engines/ac_full.cc
@@ -127,7 +127,7 @@ static const MpseApi acf_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/ac_sparse.cc b/src/search_engines/ac_sparse.cc
index f8040fa4cd6213f49d7c2631fe6fccf9d36ffb6c..a00dd4fa66b517af142b3aa780990255fb5f8269 100644 (file)
--- a/src/search_engines/ac_sparse.cc
+++ b/src/search_engines/ac_sparse.cc
@@ -114,7 +114,7 @@ static const MpseApi acs_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/ac_sparse_bands.cc b/src/search_engines/ac_sparse_bands.cc
index 263e630df6d214bde955d56793c649999f4bbc77..305989183c73b8556002b2de29b6da4ba6a0de4d 100644 (file)
--- a/src/search_engines/ac_sparse_bands.cc
+++ b/src/search_engines/ac_sparse_bands.cc
@@ -114,7 +114,7 @@ static const MpseApi acsb_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/ac_std.cc b/src/search_engines/ac_std.cc
index 437906b110b13083dc7addb94bd674e42114542e..fd018b09fcdf0ff5d127959794828566f0903970 100644 (file)
--- a/src/search_engines/ac_std.cc
+++ b/src/search_engines/ac_std.cc
@@ -105,7 +105,7 @@ static const MpseApi ac_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_BASE,
     nullptr,
     nullptr,
     nullptr,
diff --git a/src/search_engines/hyperscan.cc b/src/search_engines/hyperscan.cc
index f67d96f4204eef4caa0950a068e260ede321fafb..e16b8e31d636031ea9bf4fec1a83648e64fe27a9 100644 (file)
--- a/src/search_engines/hyperscan.cc
+++ b/src/search_engines/hyperscan.cc
@@ -366,7 +366,7 @@ static const MpseApi hs_api =
         nullptr,
         nullptr
     },
-    false,
+    MPSE_REGEX,
     nullptr,  // activate
     nullptr,  // setup
     nullptr,  // start
diff --git a/src/search_engines/test/hyperscan_test.cc b/src/search_engines/test/hyperscan_test.cc
index 060c3887165f3207cc903cec8e84f51b1a58e6a3..1fd0990a8e1f3aa4dccb7f65d901c3c0c6e9a1a8 100644 (file)
--- a/src/search_engines/test/hyperscan_test.cc
+++ b/src/search_engines/test/hyperscan_test.cc
@@ -151,7 +151,7 @@ TEST(mpse_hs_base, base)
 TEST(mpse_hs_base, mpse)
 {
     const MpseApi* mpse_api = (MpseApi*)se_hyperscan;
-    CHECK(!mpse_api->trim);
+    CHECK(mpse_api->flags == MPSE_REGEX);
 
     CHECK(mpse_api->ctor);
     CHECK(mpse_api->dtor);
diff --git a/tools/snort2lua/config_states/config_deleted.cc b/tools/snort2lua/config_states/config_deleted.cc
index 2dce4430ad98c57068f7601cd981ece4d58f292f..e04a0fe7ed0cf461ca318de3f57843dcb2a1bf8b 100644 (file)
--- a/tools/snort2lua/config_states/config_deleted.cc
+++ b/tools/snort2lua/config_states/config_deleted.cc
@@ -382,6 +382,20 @@ static const ConvertMap enable_ttcp_drops_api =
 
 const ConvertMap* enable_ttcp_drops_map = &enable_ttcp_drops_api;
 
+/*************************************************
+ *************  log_ipv6_extra_data  *************
+ *************************************************/
+
+static const std::string log_ipv6_extra_data = "log_ipv6_extra_data";
+static const ConvertMap log_ipv6_extra_data_api =
+{
+    log_ipv6_extra_data,
+    deleted_ctor<& log_ipv6_extra_data>
+};
+
+const ConvertMap* log_ipv6_extra_data_map = &log_ipv6_extra_data_api;
+
+
 /*************************************************
  ***********  nolog***********
  *************************************************/
diff --git a/tools/snort2lua/config_states/config_no_option.cc b/tools/snort2lua/config_states/config_no_option.cc
index 462f94966f481210e96f908999e4909b549d2d3a..d1d0c39b0ca64d0c2a761b1dfa6326a838077e69 100644 (file)
--- a/tools/snort2lua/config_states/config_no_option.cc
+++ b/tools/snort2lua/config_states/config_no_option.cc
@@ -286,20 +286,6 @@ static const ConvertMap enable_mpls_overlapping_ip_api =
 
 const ConvertMap* enable_mpls_overlapping_ip_map = &enable_mpls_overlapping_ip_api;
 
-/*************************************************
- *************  log_ipv6_extra_data  *************
- *************************************************/
-
-static const std::string log_ipv6_extra_data = "log_ipv6_extra_data";
-static const ConvertMap log_ipv6_extra_data_api =
-{
-    log_ipv6_extra_data,
-    config_true_no_opt_ctor<& log_ipv6_extra_data, & output>
-};
-
-const ConvertMap* log_ipv6_extra_data_map = &log_ipv6_extra_data_api;
-
-
 /*************************************************
  ********************  nopcre  *******************
  *************************************************/
diff --git a/tools/snort2lua/output_states/out_csv.cc b/tools/snort2lua/output_states/out_csv.cc
index e20a874c875c757a785886a082b71f818b4d4d96..928f7d666683c853ef01900b39696b75ee2ea71e 100644 (file)
--- a/tools/snort2lua/output_states/out_csv.cc
+++ b/tools/snort2lua/output_states/out_csv.cc
@@ -44,7 +44,6 @@ bool AlertCsv::convert(std::istringstream& data_stream)
     bool retval = true;
     int limit;
     char c = '\0';
-    std::string units = "B";
 
     table_api.open_top_level_table("alert_csv");
 
@@ -220,19 +219,21 @@ bool AlertCsv::convert(std::istringstream& data_stream)
     if (!(data_stream >> limit))
         return retval;
 
-    // default units is bytes.  set above
     if (data_stream >> c)
     {
-        if (c == 'K' || c == 'k')
-            units = "K";
-        else if (c == 'M' || c == 'm')
-            units = "M";
+        if (limit <= 0)
+            limit = 0;
+        else if (c == 'K' || c == 'k')
+            limit = (limit + 1023) / 1024;
         else if (c == 'G' || c == 'g')
-            units = "G";
+            limit *= 1024;
     }
+    else
+        limit = (limit + 1024*1024 - 1) / (1024*1024);
 
     retval = table_api.add_option("limit", limit) && retval;
-    retval = table_api.add_option("units", units) && retval;
+    retval = table_api.add_comment("limit now in MB, converted") && retval;
+    retval = table_api.add_deleted_comment("units") && retval;
     return retval;
 }
 
diff --git a/tools/snort2lua/output_states/out_fast.cc b/tools/snort2lua/output_states/out_fast.cc
index 3216f331a7772ed36dcc92a28ec5636bf12a5d9a..bd973805bca57eac07fc96f7169364d79211bd1f 100644 (file)
--- a/tools/snort2lua/output_states/out_fast.cc
+++ b/tools/snort2lua/output_states/out_fast.cc
@@ -66,22 +66,24 @@ bool AlertFast::convert(std::istringstream& data_stream)
 
     int limit;
     char c = '\0';
-    std::string units = "B";
 
     std::istringstream tmp_stream(keyword);
     tmp_stream >> limit;  // guaranteed success since keyword is non-empty
     if (tmp_stream >> c)
     {
-        if (c == 'K' || c == 'k')
-            units = "K";
-        else if (c == 'M' || c == 'm')
-            units = "M";
+        if (limit <= 0)
+            limit = 0;
+        else if (c == 'K' || c == 'k')
+            limit = (limit + 1023) / 1024;
         else if (c == 'G' || c == 'g')
-            units = "G";
+            limit *= 1024;
     }
+    else
+        limit = (limit + 1024*1024 - 1) / (1024*1024);
 
     retval = table_api.add_option("limit", limit) && retval;
-    retval = table_api.add_option("units", units) && retval;
+    retval = table_api.add_comment("limit now in MB, converted") && retval;
+    retval = table_api.add_deleted_comment("units") && retval;
 
     // If we read something, more data available and bad input
     if (data_stream >> keyword)
diff --git a/tools/snort2lua/output_states/out_full.cc b/tools/snort2lua/output_states/out_full.cc
index 9bd30ff71c9a16d2285f9e407cc541583516b5a0..1104959bd28ee5651475ba5ee202ad71751fdc41 100644 (file)
--- a/tools/snort2lua/output_states/out_full.cc
+++ b/tools/snort2lua/output_states/out_full.cc
@@ -43,7 +43,6 @@ bool AlertFull::convert(std::istringstream& data_stream)
     bool retval = true;
     int limit;
     char c = '\0';
-    std::string units = "B";
 
     table_api.open_top_level_table("alert_full");
 
@@ -57,16 +56,19 @@ bool AlertFull::convert(std::istringstream& data_stream)
 
     if (data_stream >> c)
     {
-        if (c == 'K' || c == 'k')
-            units = "K";
-        else if (c == 'M' || c == 'm')
-            units = "M";
+        if (limit <= 0)
+            limit = 0;
+        else if (c == 'K' || c == 'k')
+            limit = (limit + 1023) / 1024;
         else if (c == 'G' || c == 'g')
-            units = "G";
+            limit *= 1024;
     }
+    else
+        limit = (limit + 1024*1024 - 1) / (1024*1024);
 
     retval = table_api.add_option("limit", limit) && retval;
-    retval = table_api.add_option("units", units) && retval;
+    retval = table_api.add_comment("limit now in MB, converted") && retval;
+    retval = table_api.add_deleted_comment("units") && retval;
 
     // If we read something, more data available and bad input
     if (data_stream >> keyword)
diff --git a/tools/snort2lua/output_states/out_tcpdump.cc b/tools/snort2lua/output_states/out_tcpdump.cc
index a239510cb8f53418ff6f9a7fe50d9fd0427820ca..815f3a4447b4aa5fb1f3f0563598b272c9217e7a 100644 (file)
--- a/tools/snort2lua/output_states/out_tcpdump.cc
+++ b/tools/snort2lua/output_states/out_tcpdump.cc
@@ -53,21 +53,22 @@ bool LogTcpDump::convert(std::istringstream& data_stream)
     if (!(data_stream >> limit))
         return retval;
 
-    retval = table_api.add_option("limit", limit) && retval;
-
     char c = '\0';
-    std::string units = "B";
     if (data_stream >> c)
     {
-        if (c == 'K' || c == 'k')
-            units = "K";
-        else if (c == 'M' || c == 'm')
-            units = "M";
+        if (limit <= 0)
+            limit = 0;
+        else if (c == 'K' || c == 'k')
+            limit = (limit + 1023) / 1024;
         else if (c == 'G' || c == 'g')
-            units = "G";
+            limit *= 1024;
     }
+    else
+        limit = (limit + 1024*1024 - 1) / (1024*1024);
 
-    retval = table_api.add_option("units", units) && retval;
+    retval = table_api.add_option("limit", limit) && retval;
+    retval = table_api.add_comment("limit now in MB, converted") && retval;
+    retval = table_api.add_deleted_comment("units") && retval;
 
     // If we read something, more data available and bad input
     if (data_stream >> keyword)
diff --git a/tools/snort2lua/output_states/out_unified2.cc b/tools/snort2lua/output_states/out_unified2.cc
index a9fe449b2ba967cc3b70f8432ec17376b041341b..ff9d026f01c0b62461eebb22d5124547c5af54e8 100644 (file)
--- a/tools/snort2lua/output_states/out_unified2.cc
+++ b/tools/snort2lua/output_states/out_unified2.cc
@@ -60,19 +60,17 @@ public:
                 tmpval = table_api.add_option("nostamp", true);
 
             else if (!keyword.compare("mpls_event_types"))
-                tmpval = table_api.add_option("mpls_event_types", true);
+                table_api.add_deleted_comment("mpls_event_types");
 
             else if (!keyword.compare("vlan_event_types"))
-                tmpval = table_api.add_option("vlan_event_types", true);
+                tmpval = table_api.add_deleted_comment("vlan_event_types");
 
             else if (!keyword.compare("filename"))
                 table_api.add_deleted_comment("filename");
 
             else if (!keyword.compare("limit"))
-            {
                 tmpval = parse_int_option("limit", arg_stream, false);
-                tmpval = table_api.add_option("units", "M") && tmpval;
-            }
+
             else
                 tmpval = false;
 
diff --git a/tools/snort2lua/rule_states/rule_metadata.cc b/tools/snort2lua/rule_states/rule_metadata.cc
index 08429477dcea13039352d7e11085647a4756744a..7c3efc881281c5803ce0f9fefaa294645f051829 100644 (file)
--- a/tools/snort2lua/rule_states/rule_metadata.cc
+++ b/tools/snort2lua/rule_states/rule_metadata.cc
@@ -44,8 +44,9 @@ bool Metadata::convert(std::istringstream& data_stream)
     std::string tmp;
     std::string value;
     std::string soid_val = "";
+    std::string service = "";
 
-    rule_api.add_option("metadata");
+    bool add_opt = true;
 
     tmp = util::get_rule_option_args(data_stream);
     std::istringstream metadata_stream(util::trim(tmp));
@@ -78,6 +79,12 @@ bool Metadata::convert(std::istringstream& data_stream)
         else if (!keyword.compare("soid"))
             soid_val = value;  // add this after metadata to keep ordering
 
+        else if (!keyword.compare("service"))
+        {
+            if ( service.length() )
+                service += ", ";
+            service += value;  // add this after metadata to keep ordering
+        }
         else if (!keyword.compare("engine"))
         {
             rule_api.make_rule_a_comment();
@@ -85,10 +92,19 @@ bool Metadata::convert(std::istringstream& data_stream)
         }
         else
         {
+            if ( add_opt )
+            {
+                // this is to avoid empty metadata (ie "metadata;")
+                rule_api.add_option("metadata");
+                add_opt = false;
+            }
             rule_api.add_suboption(keyword, value);
         }
     }
 
+    if (!service.empty())
+        rule_api.add_option("service", service);
+
     if (!soid_val.empty())
         rule_api.add_option("soid", soid_val);
 
Mirror of https://github.com/snort3/snort3.git