From: Russ Combs (rucombs) Date: Mon, 24 Jul 2017 14:58:44 +0000 (-0400) Subject: Merge pull request #967 in SNORT/snort3 from bugz_r_us to master X-Git-Tag: 3.0.0-239~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87777cc8f644544ca0eee39260cc55b2594eba62;p=thirdparty%2Fsnort3.git Merge pull request #967 in SNORT/snort3 from bugz_r_us to master Squashed commit of the following: commit be1b03e0e98f494e9019893110b0ec87853861c2 Author: Russ Combs Date: Sun Jul 23 13:26:16 2017 -0400 rules: promote metadata:service to a separate option since it is not metadata commit 945d393f54d57cf1aa489b08e5e04141ef65532d Author: Russ Combs Date: Sat Jul 22 13:42:19 2017 -0400 loggers: remove units options; all limits expressed in MB commit e7773535fe30cde5fa146ffb063850a4fe8670d1 Author: Russ Combs Date: Sat Jul 22 09:18:42 2017 -0400 text logs: fix default unlimited file size commit f2d3ff50bf34fe527b5079212e39914170ab5bd9 Author: Russ Combs Date: Sat Jul 22 00:19:04 2017 -0400 doc: update differences commit 9eb65c1f15db9d6044e7f5b2b7b8782ef5ce4820 Author: Russ Combs Date: Fri Jul 21 20:46:39 2017 -0400 u2: remove obsolete configurations commit 74e3cbfcf68bcd505a3166272a060dd32bc6513c Author: Russ Combs Date: Fri Jul 21 20:45:23 2017 -0400 check: update hyperscan and regex tests commit 37bdac9cffb927e473295fc667b50f9967880968 Author: Russ Combs Date: Fri Jul 21 14:31:00 2017 -0400 mpse: make regex capability generic commit fabbd5e454a53e4733699b8eeca40563dc9a5d5a Author: Russ Combs Date: Fri Jul 21 13:30:08 2017 -0400 regex: fix pass through of mpse flags to hyperscan mpse: only use literals for fast patterns if search_method is not hyperscan --- diff --git a/doc/differences.txt b/doc/differences.txt index b2ea7aeff..74b11766b 100644 --- a/doc/differences.txt +++ b/doc/differences.txt @@ -15,7 +15,7 @@ Some things Snort++ can do today that Snort can not do: * regex fast patterns, not just literals * FlatBuffers and JSON perf monitor logs * LuaJIT scriptable rule options and loggers -* pub/sub inspection events (currently used by sip and http to appid) +* pub/sub inspection events (currently used by sip and http_inspect to appid) * JIT buffer stuffers (notably with new http_inspect) * C-style comments in rules * #begin ... #end comment blocks in rules @@ -76,8 +76,8 @@ Some things Snort++ can do today that Snort can not do as well: (Snort 2 requires newline escapes) * properly parse rules (Snort 2 can actually completely ignore stuff) -* optional warnings output, can be fatal - (Snort 2 warnings are not optional or fatal) +* optional, expanded warnings output, can be fatal + (Snort 2 warnings limited and are not optional or fatal) * define and use arbitrary variables and functions in config with Lua (Snort 2 has variables just for rule headers) * text-based command line shell @@ -100,6 +100,12 @@ Some things Snort++ can do today that Snort can not do as well: (Snort 2 can only detect scans) * sigquit will cause a --dirty-pig style exit (Snort 2 handles sigquit the same as sigterm and sigint) +* detection trace + (Snort 2 has more limited buffer dumping) +* updated unified2 events with MPLS, VLAN, and IP6 + (Snort 2 requires configuration and extra data) +* significantly more unit tests, including --catch and make check + (Snort 2 has very few unit tests) * better modularity 346K/1534 = 226 lines/file, max=2700 (Snort 2 has 440K/1021 = 431 lines/file, max=13K) diff --git a/doc/params.txt b/doc/params.txt index aeadcd94a..a33a4e9b0 100644 --- a/doc/params.txt +++ b/doc/params.txt @@ -29,7 +29,7 @@ information about the type and use of the parameter: * For IPS rules only, names starting with ~ indicate positional parameters. The names of such parameters do not appear in the rule. * IPS rules may also have a wild card parameter, which is indicated by a - *. Only used for metadata that Snort ignores. + *. Used for unquoted, comma-separated lists such as service and metadata. * The snort module has command line options starting with a -. Some additional details to note: diff --git a/extra/src/search_engines/lowmem/lowmem.cc b/extra/src/search_engines/lowmem/lowmem.cc index 0779ad576..2b09da4c5 100644 --- a/extra/src/search_engines/lowmem/lowmem.cc +++ b/extra/src/search_engines/lowmem/lowmem.cc @@ -120,7 +120,7 @@ static const MpseApi lm_api = nullptr, nullptr }, - false, + MPSE_BASE, nullptr, nullptr, nullptr, diff --git a/lua/sample.rules b/lua/sample.rules index 8b0f167ff..9fcf932b6 100644 --- a/lua/sample.rules +++ b/lua/sample.rules @@ -1,2480 +1,2480 @@ -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!",nocase; content:!"href=|22|http|3A|//www.hallmark.com/",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file-scan/report.html?id=bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f-1258200619; reference:url,www.virustotal.com/latest-report.html?resource=925a4a25cfa562a0330c8733cc697021; classtype:misc-activity; sid:19595; rev:4; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:6; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; ) -alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:4; ) -alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:21475; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21925; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; metadata:impact_flag red,policy balanced-ips drop,service dns; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; ) -alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:3; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24792; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25684; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25685; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25686; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25687; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25688; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25689; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25690; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25691; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25692; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25693; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25694; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25695; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25696; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25697; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25698; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25699; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25700; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25701; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25702; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25703; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25704; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25705; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25706; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25707; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25708; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25709; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25710; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25711; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25712; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25713; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25714; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25715; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25716; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25717; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25718; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25719; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25720; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25721; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25722; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25723; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25724; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25725; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25726; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25727; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25728; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25729; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25730; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25731; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25732; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25733; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25734; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25735; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25736; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25737; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25738; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25739; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25740; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25741; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25742; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25743; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25744; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25745; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25746; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25747; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25748; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25749; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25750; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25751; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25752; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25753; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25754; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25755; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25756; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25757; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25758; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25759; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25760; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25761; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25762; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25763; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; content:"|05|suppp|0C|cantvenlinea|03|biz"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26396; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26399; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26400; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigabsh|03|org"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26401; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26402; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26403; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26404; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26405; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26406; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26407; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26408; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26409; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26554; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26555; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26556; rev:1; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; content:"|03|ns"; content:"|0F|",within 2; content:"theimageparlour|03|net|00|",within 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:1; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:1; ) -alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:" $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:""; content:""; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:""; content:""; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"]+name\s*=\s*[\x22\x27](?P\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"]*?PUT\s*=\s*[\x22\x27](?P\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"]*?PUT\s*=\s*[\x22\x27](?P\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; ) -alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; ) -alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; ) -alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26935; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26936; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26937; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; ) -alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject",nocase; content:"TDCCtl.TDCCtl",distance 0,fast_pattern,nocase; content:"DataURL",nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P<q1>\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"DataURL",nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:16; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|",nocase; content:"unescape|28|",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"<param",distance 0,nocase; content:"DataURL",distance 0,nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/<param[^>]+(name\s*=\s*(?P<q2>\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P<q3>\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:14; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:13; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; content:"cdda|3A 2F 2F|",nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; pcre:"/(?P<c>\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:11; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:12; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:13; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:11; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:16; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll",nocase; content:"General_ServerName",nocase; content:!">",within 1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:8723; rev:11; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:9820; rev:10; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:10; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs",nocase; content:"MemberwiseClone",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + ",nocase; content:"sBoF",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26193; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26194; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|",nocase; content:"--renderer-path|3D|",nocase; content:"%20--no-sandbox%20"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:"<url"; content:"http://",within 100; isdataat:1024,relative; content:!"</url",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1602; classtype:attempted-user; sid:26421; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26497; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26498; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26524; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26525; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26573; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26574; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26646; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26647; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; content:"Fakedriver",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,58504; reference:cve,2013-1488; reference:url,osvdb.org/show/osvdb/91472; classtype:attempted-user; sid:26899; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|",distance 0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|",distance 0; content:"document.body.offsetTop|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|",distance 0; content:"window|2E|getSelection|28 29 2E|removeAllRanges",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM",nocase; content:".innerHTML|20 3D|",distance 0,nocase; content:"document.createRange|28 29 3B|",distance 0,nocase; content:".extractContents|28 29 3B|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout",nocase; content:"document.body.innerHTML",distance 0,nocase; content:"document.getElementById(",distance 0,nocase; content:".innerHTML",distance 0,nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe",fast_pattern,nocase; content:"height|3D|",within 50,nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,osvdb.org/show/osvdb/77908; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:9; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; http_header; content:"Accept-Encoding: identity, *|3B|q=0"; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++",within 20,nocase; content:"}catch(",within 10,nocase; content:"}catch(",within 50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:6; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|",within 20; content:".jar",within 20; content:"<param/nam=",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"?page="; pcre:"/\?page\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:5; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:5; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:5; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole landing page request - tkr"; flow:to_server,established; http_uri; content:".php?"; content:"src=",distance 0; content:"&gpr=",distance 0; content:"&tkr=",distance 0,fast_pattern; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<h",nocase; content:"><b>Please wait a moment. You will be forwarded..",within 54,distance 1,nocase; content:"</h",within 10; content:"></b>|0D 0A|",within 7,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:5; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch(",distance 0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"src.php?case="; pcre:"/src.php\?case\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t=",distance 0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php"; flow:to_server,established; http_uri; content:"/Index/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:"/Home/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole possible landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Applet landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive=",distance 0; content:"code=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please Wait.... </h1>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; http_uri; content:"adp",fast_pattern; content:".php?",within 5,distance 1,nocase; pcre:"/adp\d?\.php\?[fe]=/"; flowbits:set,blackhole.pdf; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; pcre:"/(,\d{1,3}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; pcre:"/(#\d{1,2}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit binary download"; flow:to_server,established; http_uri; content:"/g/",depth 3; http_raw_uri; bufferlen:47; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit landing page"; flow:to_server,established; http_uri; content:"/index.php?"; http_raw_uri; bufferlen:43; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI possible Blackhole URL - search.php?page="; flow:to_server, established; http_uri; content:"/search.php?page="; pcre:"/search\.php\?page=[a-f0-9]{16}$/"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; http_uri; content:"/pdf.php?pdf="; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; http_header; content:"?spl="; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Repeated Exploit Request Pattern"; flow:to_server,established; http_uri; content:"images.php?t="; pcre:"/^images.php\?t=\d{2,7}$/"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:7; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit Java Exploit request to .class file"; flow:to_server,established; http_uri; content:".class"; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:".jar"; pcre:"/^\/[0-9]{5}\.jar$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:7; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:".html"; pcre:"/^\/[0-9]{8}\.html$/"; flowbits:set,kit.redkit; flowbits:noalert; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:5; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2008-2992"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call attempt"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-1297"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-2884"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-80-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-90-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842Helper"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-3552"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=JavaSignedApplet"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|",fast_pattern; content:"<param name=|22|WINDOWS|22| value=",distance 0,nocase; content:"<param name=|22|OSX|22| value=",distance 0,nocase; content:"<param name=|22|LINUX|22| value=",distance 0,nocase; content:"<param name=|22|64|22| value=",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:23106; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; http_uri; content:"/stat2.php?w=",nocase; content:"i=",distance 0,nocase; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; http_header; content:"?spl=2"; http_uri; content:"/pdf.php"; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; http_uri; content:"load.php?spl="; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; http_uri; content:"/load.php?spl="; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090",within 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 - Landing Page Received"; flow:to_client,established; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write(",within 30; content:"php?",within 75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?action=",nocase; content:"&h=",distance 0,nocase; pcre:"/\&h=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; pcre:"/setup=[a-z]$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; content:"&s=",distance 0,nocase; content:"&r=",distance 0,nocase; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole v2 fallback executable download"; flow:to_server,established; http_uri; content:"/adobe/update_flash_player.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:2; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_client,established; file_data; content:"

Internet Explorer or Mozilla Firefox compatible only


"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"id=",within 64,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Mutiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short jar request"; flow:to_server,established; http_uri; content:".jar"; http_header; content:" Java/1."; content:"content-type|3A| application/x-java-archive"; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jar$/"; http_header; content:!"cbssports.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26814; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange landing page in.php base64 uri"; flow:to_server,established; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26838; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page"; flow:to_client,established; file_data; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27086; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|",within 25; content:".value.length|3B|",within 100; content:".value.substr(",distance 0; pcre:"/for\x28(?P\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27106; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27107; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27108; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27109; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27110; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload"; flow:to_client,established; http_header; content:"filename="; content:".exe",within 4,distance 4; pcre:"/filename\=\d{4}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:""; content:""; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:""; content:""; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"]+name\s*=\s*[\x22\x27](?P\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http, imap, pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"]*?PUT\s*=\s*[\x22\x27](?P\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"]*?PUT\s*=\s*[\x22\x27](?P\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; ) +alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; ) +alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; ) +alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26935; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26936; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:bad-unknown; sid:26937; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; ) +alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject",nocase; content:"TDCCtl.TDCCtl",distance 0,fast_pattern,nocase; content:"DataURL",nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P<q1>\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"DataURL",nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:16; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|",nocase; content:"unescape|28|",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"<param",distance 0,nocase; content:"DataURL",distance 0,nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/<param[^>]+(name\s*=\s*(?P<q2>\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P<q3>\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:14; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:13; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; content:"cdda|3A 2F 2F|",nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; pcre:"/(?P<c>\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:11; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:12; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:13; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:11; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop,policy security-ips alert; service:http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:16; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:8; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll",nocase; content:"General_ServerName",nocase; content:!">",within 1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:8723; rev:11; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:9820; rev:10; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:10; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs",nocase; content:"MemberwiseClone",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + ",nocase; content:"sBoF",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:6; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26193; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26194; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|",nocase; content:"--renderer-path|3D|",nocase; content:"%20--no-sandbox%20"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:"<url"; content:"http://",within 100; isdataat:1024,relative; content:!"</url",within 1024; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2008-1602; classtype:attempted-user; sid:26421; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:policy security-ips drop; service:http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26497; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:policy security-ips drop; service:http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26498; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26524; rev:3; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26525; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26573; rev:1; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26574; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26646; rev:3; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:smtp; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26647; rev:3; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; content:"Fakedriver",nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:smtp; reference:bugtraq,58504; reference:cve,2013-1488; reference:url,osvdb.org/show/osvdb/91472; classtype:attempted-user; sid:26899; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|",distance 0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|",distance 0; content:"document.body.offsetTop|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|",distance 0; content:"window|2E|getSelection|28 29 2E|removeAllRanges",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM",nocase; content:".innerHTML|20 3D|",distance 0,nocase; content:"document.createRange|28 29 3B|",distance 0,nocase; content:".extractContents|28 29 3B|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout",nocase; content:"document.body.innerHTML",distance 0,nocase; content:"document.getElementById(",distance 0,nocase; content:".innerHTML",distance 0,nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe",fast_pattern,nocase; content:"height|3D|",within 50,nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,osvdb.org/show/osvdb/77908; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:9; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; http_header; content:"Accept-Encoding: identity, *|3B|q=0"; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++",within 20,nocase; content:"}catch(",within 10,nocase; content:"}catch(",within 50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:6; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|",within 20; content:".jar",within 20; content:"<param/nam=",within 20; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"?page="; pcre:"/\?page\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:5; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:5; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:5; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole landing page request - tkr"; flow:to_server,established; http_uri; content:".php?"; content:"src=",distance 0; content:"&gpr=",distance 0; content:"&tkr=",distance 0,fast_pattern; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<h",nocase; content:"><b>Please wait a moment. You will be forwarded..",within 54,distance 1,nocase; content:"</h",within 10; content:"></b>|0D 0A|",within 7,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:5; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch(",distance 0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"src.php?case="; pcre:"/src.php\?case\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t=",distance 0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php"; flow:to_server,established; http_uri; content:"/Index/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:"/Home/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole possible landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Applet landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive=",distance 0; content:"code=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please Wait.... </h1>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; http_uri; content:"adp",fast_pattern; content:".php?",within 5,distance 1,nocase; pcre:"/adp\d?\.php\?[fe]=/"; flowbits:set,blackhole.pdf; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; pcre:"/(,\d{1,3}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; pcre:"/(#\d{1,2}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit binary download"; flow:to_server,established; http_uri; content:"/g/",depth 3; http_raw_uri; bufferlen:47; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:6; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit landing page"; flow:to_server,established; http_uri; content:"/index.php?"; http_raw_uri; bufferlen:43; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:6; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI possible Blackhole URL - search.php?page="; flow:to_server, established; http_uri; content:"/search.php?page="; pcre:"/search\.php\?page=[a-f0-9]{16}$/"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; http_uri; content:"/pdf.php?pdf="; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; http_header; content:"?spl="; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Repeated Exploit Request Pattern"; flow:to_server,established; http_uri; content:"images.php?t="; pcre:"/^images.php\?t=\d{2,7}$/"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:7; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit Java Exploit request to .class file"; flow:to_server,established; http_uri; content:".class"; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:".jar"; pcre:"/^\/[0-9]{5}\.jar$/"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:4; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert,policy security-ips alert; service:http, imap, pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:7; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:".html"; pcre:"/^\/[0-9]{8}\.html$/"; flowbits:set,kit.redkit; flowbits:noalert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2008-2992"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call attempt"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-1297"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-2884"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-80-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-90-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842Helper"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-3552"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=JavaSignedApplet"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|",fast_pattern; content:"<param name=|22|WINDOWS|22| value=",distance 0,nocase; content:"<param name=|22|OSX|22| value=",distance 0,nocase; content:"<param name=|22|LINUX|22| value=",distance 0,nocase; content:"<param name=|22|64|22| value=",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:attempted-user; sid:23106; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; http_uri; content:"/stat2.php?w=",nocase; content:"i=",distance 0,nocase; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; http_header; content:"?spl=2"; http_uri; content:"/pdf.php"; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; http_uri; content:"load.php?spl="; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; http_uri; content:"/load.php?spl="; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090",within 10; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 - Landing Page Received"; flow:to_client,established; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write(",within 30; content:"php?",within 75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?action=",nocase; content:"&h=",distance 0,nocase; pcre:"/\&h=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; pcre:"/setup=[a-z]$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; content:"&s=",distance 0,nocase; content:"&r=",distance 0,nocase; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole v2 fallback executable download"; flow:to_server,established; http_uri; content:"/adobe/update_flash_player.exe"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:2; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_client,established; file_data; content:"

Internet Explorer or Mozilla Firefox compatible only


"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"id=",within 64,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Mutiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:" $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short jar request"; flow:to_server,established; http_uri; content:".jar"; http_header; content:" Java/1."; content:"content-type|3A| application/x-java-archive"; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jar$/"; http_header; content:!"cbssports.com"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26814; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange landing page in.php base64 uri"; flow:to_server,established; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26838; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page"; flow:to_client,established; file_data; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27086; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|",within 25; content:".value.length|3B|",within 100; content:".value.substr(",distance 0; pcre:"/for\x28(?P\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27106; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27107; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27108; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27109; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27110; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload"; flow:to_client,established; http_header; content:"filename="; content:".exe",within 4,distance 4; pcre:"/filename\=\d{4}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/search.php?method=",nocase; content:"&mode=",distance 0,nocase; content:"&v=",distance 0,nocase; content:"&sox=",distance 0,nocase; http_header; content:!"User-Agent|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; http_uri; content:"/miragem/comunic.php"; http_client_body; content:"ext=",nocase; content:"cliente=",distance 0,nocase; content:"mensagem=",distance 0,nocase; content:"tipo=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; http_uri; content:"/novinha/imgjpgcnf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?uid=",fast_pattern,nocase; content:"&do=",distance 0,nocase; content:"&view=",distance 0,nocase; content:"&_lgmode=",distance 0,nocase; content:"&from=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg"; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dapato CMS spambot check-in"; flow:to_server,established; http_uri; content:"/seek.cgi?lin=",nocase; content:"&db=",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent"; flow:to_server,established; http_header; content:"User-Agent: macs 1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection"; flow:to_server,established; http_client_body; content:"/MacApp/"; pcre:"/\/MacApp\/\d{2}(-\d{2}){3}(:\d{2}){2}\.png\r\n[^\x89]+?\x89PNG/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26816; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>",depth 18; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=&p="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=Microsoft"; content:"Windows",within 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act="; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>"; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26923; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26924; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/form.php?mode="; content:"&UID=",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26930; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/links.php?mode=1"; http_header; content:!"Referer"; content:!"Cookie"; content:!"Content-Length"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26931; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_header; content:"User-Agent: Mozilla/5.0",nocase; content:"Cache-Control: no-cache",nocase; http_uri; content:"/999"; pcre:"/^\/999$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26940; rev:3; ) -alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/adminweb/news.asp?id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/jp/admin.asp"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26943; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/post_show.asp?"; content:"123456789"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26944; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Bisonal RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:".asp?id=",nocase; content:"host:",distance 0,nocase; content:"user:",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26945; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Uptime RAT beacon attempt"; flow:to_server,established; http_uri; content:".asp?id="; content:"|44 00 61 00 79|",distance 0; content:"|48 00 6F 00 75 00 72|"; content:"|4D 00 69 00 6E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26946; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] ( msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; http_uri; content:"/u_get.asp?smac="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; http_client_body; content:"destino="; content:"&user=",within 30; content:"&icerik=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26954; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; http_raw_uri; bufferlen:8; http_uri; content:"//u5.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/img/get.php?d_info="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; http_uri; content:"new/f21312a",fast_pattern; http_header; content:"baidu.com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/cfg.bin"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/gate.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:".rdata|00 00 38 58 00 00 00 F0 01 00 00 5A 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27010; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_client,established; file_data; content:""; content:"Liste de toutes les versions de Windows avec lesquelles cette application peut fonctionner",within 104; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27013; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; http_uri; content:"/windows/update/search?hl="; content:"&q=",distance 0; content:"&meta=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26695; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - POST Body"; flow:to_server,established; http_uri; content:"index.php"; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; content:"--",depth 2; pcre:"/filename=\x22\d+\x22\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Upero variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; http_uri; content:"?cdata=",nocase; content:"&detail=",nocase; content:"&fold=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26703; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; http_header; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; http_uri; content:"/count.php?page=",depth 16; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/"; http_header; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|id="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_alive.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_task.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?xclve_"; pcre:"/^\x2f\x3fxclve\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:26721; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26722; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|",depth 5; pcre:"/^http\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|",depth 5; pcre:"/^stop\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|",depth 4; pcre:"/^die\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|",depth 6; pcre:"/^sleep\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|",depth 7; pcre:"/^simpel\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|",depth 10; pcre:"/^loginpost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|",depth 9; pcre:"/^datapost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|",depth 4; pcre:"/^syn\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|",depth 4; pcre:"/^udp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|",depth 8; pcre:"/^udpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|",depth 5; pcre:"/^data\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|",depth 5; pcre:"/^icmp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|",depth 8; pcre:"/^tcpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|",depth 8; pcre:"/^dataget\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|",depth 8; pcre:"/^connect\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|",depth 4; pcre:"/^dns\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|",depth 5; pcre:"/^exec\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|",depth 8; pcre:"/^resolve\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|",depth 9; pcre:"/^antiddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|",depth 6; pcre:"/^range\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|",depth 4; pcre:"/^ftp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|",depth 9; pcre:"/^download\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|",depth 9; pcre:"/^fastddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|",depth 9; pcre:"/^slowhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|",depth 8; pcre:"/^allhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|",depth 5; pcre:"/^full\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://",depth 7; content:"|7C|Mozilla/"; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26752; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Luder outbound connection"; flow:to_server,established; http_uri; content:"/loader.cpl"; pcre:"/\/loader\.cpl$/"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection POST"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"cmd=gravar&dados="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/m/IbQ"; http_header; content:!"PacketShaper"; http_uri; pcre:"/\/m\/ibq(?!c)[a-p]/ims"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26777; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC cridex encrypted POST check-in"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:".exe"; pcre:"/\x5F[A-F0-9]{16}/"; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00||00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/search.php?method=",nocase; content:"&mode=",distance 0,nocase; content:"&v=",distance 0,nocase; content:"&sox=",distance 0,nocase; http_header; content:!"User-Agent|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; http_uri; content:"/miragem/comunic.php"; http_client_body; content:"ext=",nocase; content:"cliente=",distance 0,nocase; content:"mensagem=",distance 0,nocase; content:"tipo=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; http_uri; content:"/novinha/imgjpgcnf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?uid=",fast_pattern,nocase; content:"&do=",distance 0,nocase; content:"&view=",distance 0,nocase; content:"&_lgmode=",distance 0,nocase; content:"&from=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg"; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dapato CMS spambot check-in"; flow:to_server,established; http_uri; content:"/seek.cgi?lin=",nocase; content:"&db=",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent"; flow:to_server,established; http_header; content:"User-Agent: macs 1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection"; flow:to_server,established; http_client_body; content:"/MacApp/"; pcre:"/\/MacApp\/\d{2}(-\d{2}){3}(:\d{2}){2}\.png\r\n[^\x89]+?\x89PNG/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26816; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>",depth 18; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=&p="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=Microsoft"; content:"Windows",within 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act="; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>"; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26923; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26924; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/form.php?mode="; content:"&UID=",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26930; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/links.php?mode=1"; http_header; content:!"Referer"; content:!"Cookie"; content:!"Content-Length"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26931; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_header; content:"User-Agent: Mozilla/5.0",nocase; content:"Cache-Control: no-cache",nocase; http_uri; content:"/999"; pcre:"/^\/999$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26940; rev:3; ) +alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/adminweb/news.asp?id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/jp/admin.asp"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26943; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/post_show.asp?"; content:"123456789"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26944; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Bisonal RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:".asp?id=",nocase; content:"host:",distance 0,nocase; content:"user:",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26945; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Uptime RAT beacon attempt"; flow:to_server,established; http_uri; content:".asp?id="; content:"|44 00 61 00 79|",distance 0; content:"|48 00 6F 00 75 00 72|"; content:"|4D 00 69 00 6E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:26946; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] ( msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; http_uri; content:"/u_get.asp?smac="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; http_client_body; content:"destino="; content:"&user=",within 30; content:"&icerik=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26954; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; http_raw_uri; bufferlen:8; http_uri; content:"//u5.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/img/get.php?d_info="; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; http_uri; content:"new/f21312a",fast_pattern; http_header; content:"baidu.com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/cfg.bin"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/gate.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:".rdata|00 00 38 58 00 00 00 F0 01 00 00 5A 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27010; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_client,established; file_data; content:""; content:"Liste de toutes les versions de Windows avec lesquelles cette application peut fonctionner",within 104; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27013; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 4141 ( msg:"MALWARE-CNC Trojan.Netweird.A outbound communication attempt"; flow:to_server,established; content:"|41 00 00 00 03|"; dsize:69; flowbits:set,netweird; flowbits:noalert; metadata:impact_flag red; reference:url,blog.webroot.com/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/; classtype:trojan-activity; sid:27022; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 3337 ( msg:"MALWARE-CNC Win.Trojan.Dokstormac outbound connection"; flow:to_server,established; content:"QDAwMDB+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27049; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes outbound connection"; flow:to_server,established; http_client_body; content:"=qgAAAAgA"; http_uri; content:"/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.HackBack outbound connection"; flow:to_server,established; http_uri; content:"/ADMac/up.php?cname="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/uploading/id="; content:"&u=",distance 0; content:"==",distance 0; http_header; content:!"Referer"; http_uri; pcre:"/^\/uploading/id=\d+\&u=.*\=\=$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27093; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/minzhu0906/article/54726977"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; http_uri; content:"/carga1/recept.php"; http_client_body; content:"condicao=",nocase; content:"arq=",distance 0,nocase; content:"texto=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; http_header; content:"X-YouTube-Other-Cookies:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=DZZ3tTTBiTs"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=ky4M9kxUM7Y"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_header; content:"hjdullink.nl"; http_uri; content:"/images/re.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; http_uri; content:"/v12/kkrasxuparola/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0>|27 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; http_uri; content:"/blackmuscat"; pcre:"/\x2fblackmuscats?\x3f\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|",nocase; content:"|2F|r.php",within 50,fast_pattern,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:22061; rev:6; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; http_uri; content:"/horde/services/javascript.php",fast_pattern; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; http_uri; content:".ru/",nocase; content:"/?",distance 0; content:"|0D 0A|",within 2,distance 1; pcre:"/\x2eru/\w+\?\d$/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23058; rev:2; ) -alert udp $HOME_NET any -> $HOME_NET 137 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|",depth 4,offset 2; content:"|20 45 4C 45 42 46 44 46 41 45 46 46 43 46 44 45 4C 46 4A 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 00 01|",depth 38,offset 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes outbound connection"; flow:to_server,established; http_client_body; content:"=qgAAAAgA"; http_uri; content:"/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.HackBack outbound connection"; flow:to_server,established; http_uri; content:"/ADMac/up.php?cname="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/uploading/id="; content:"&u=",distance 0; content:"==",distance 0; http_header; content:!"Referer"; http_uri; pcre:"/^\/uploading/id=\d+\&u=.*\=\=$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:27093; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/minzhu0906/article/54726977"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; http_uri; content:"/carga1/recept.php"; http_client_body; content:"condicao=",nocase; content:"arq=",distance 0,nocase; content:"texto=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; http_header; content:"X-YouTube-Other-Cookies:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=DZZ3tTTBiTs"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=ky4M9kxUM7Y"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_header; content:"hjdullink.nl"; http_uri; content:"/images/re.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; http_uri; content:"/v12/kkrasxuparola/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|>"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0>|27 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; http_uri; content:"/blackmuscat"; pcre:"/\x2fblackmuscats?\x3f\d/i"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|",nocase; content:"|2F|r.php",within 50,fast_pattern,nocase; metadata:policy balanced-ips alert,policy security-ips alert; service:http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:22061; rev:6; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; http_uri; content:"/horde/services/javascript.php",fast_pattern; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; http_uri; content:".ru/",nocase; content:"/?",distance 0; content:"|0D 0A|",within 2,distance 1; pcre:"/\x2eru/\w+\?\d$/mi"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:23058; rev:2; ) +alert udp $HOME_NET any -> $HOME_NET 137 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|",depth 4,offset 2; content:"|20 45 4C 45 42 46 44 46 41 45 46 46 43 46 44 45 4C 46 4A 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 00 01|",depth 38,offset 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B 2B 2B 2B|fpnesnpr|2B 2B 2B 5D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords",nocase; content:"Dump passwords from files",within 150,nocase; content:"pwdump"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:http, imap, pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:2; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; service:smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 84 ( msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Downloader download"; flow:to_client,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24311; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Downloader inbound email"; flow:to_server,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24312; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24408; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; content:"RegisterService",nocase; content:"ServiceMain",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24409; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24410; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D",nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; content:"|25 00|x",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24411; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24515; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b76b6c8d5378e465c91f6283b6f11fdd58916cfe02923b3a48344174c2272bc0/analysis/; classtype:trojan-activity; sid:24516; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.programurl.com/inside-website-logger.htm; classtype:successful-recon-limited; sid:12480; rev:4; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Alert",distance 0,nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8357; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy",nocase; content:"Activity",distance 0,nocase; content:"Logs",distance 0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8356; rev:5; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection"; flow:to_server,established; content:"From|3A|",nocase; content:"SpyBuddy",distance 0,nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; metadata:service smtp; classtype:successful-recon-limited; sid:8355; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - alert notification"; flow:to_server,established; content:"This is an alert notification from SpyAgent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5882; rev:7; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery"; flow:to_server,established; content:"STOR spyagent-log"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service ftp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5881; rev:9; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery"; flow:to_server,established; content:"Computer IP Address|3A|",nocase; content:"Attached to this email are the activity logs that you have requested",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service smtp; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5880; rev:6; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; http_uri; content:"/fs-bin/swat?",nocase; content:"lsnsig=",nocase; content:"offerid=",nocase; http_header; content:"Referer|3A| e2give.com",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; http_uri; content:"/fs-bin/click?",nocase; content:"id=",nocase; content:"offerid=",nocase; content:"type=",nocase; pkt_data; content:"Referer|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; http_uri; content:"/go/check?",nocase; content:"build=",nocase; content:"source=",nocase; pkt_data; content:"Host|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; http_uri; content:"PG=SPEEDBAR",nocase; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24589; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; content:"I got back a null buffer !"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24590; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24591; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; content:"dump_usedhashes,u",nocase; content:"iamservice",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24592; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|\r\n/smi"; flowbits:unset,malware.miniflame; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24600; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; content:"DBG: FIND",nocase; content:"GetTempDir",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/; classtype:trojan-activity; sid:24601; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24602; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; content:"-conn",nocase; content:"cmdsocks.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24603; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24604; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; content:"cmd.exe|00|command.com",nocase; content:"700WP",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24605; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24606; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; content:"bindconnverb",nocase; content:"cmd3",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24607; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24609; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"udp associate"; content:"lost host1|21|",nocase; content:"cmdsocks |3C|1.34|3E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24610; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24611; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"IO_wfile_underflow"; content:"Gethostbyname|28 25|s|29|",nocase; content:"stack smashing attack",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24612; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24613; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"Type your current password to get root"; content:"/usr/bin/chfn |2D|h",nocase; content:"uid|3D|1000|28|hunger|29|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24614; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24615; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"crack|5F|ftp|28|self|29|"; content:"users |3D| |5B 27|root",nocase; content:"do|5F|smb|5F|ck",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24616; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/08f7c373abfa4dc80b015c518834a2f441544a75ae5091f7585bedd31c0e31e2/analysis/; classtype:trojan-activity; sid:24617; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; content:"cqo |00|cqto |00|",nocase; content:"block socket|5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8f6c0e43bab53df013ef522c83acf0278e9c3ed248f6d10560ae57e13fc3c0a3/analysis/; classtype:trojan-activity; sid:24618; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24619; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; content:"ntimfos|2E|eng",nocase; content:"wsastartup",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24620; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24621; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; content:"InjectDllAndCallFunction",nocase; content:"lsass.exe",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24622; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"hendi"; content:"exec",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:24648; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"wieeeee"; content:"md5 cracker",nocase; content:"die()",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/eb8c799f47fad06026e5e454e3dc56902055c9c6c55f5f1ded4f88f53ac9076c/analysis/1350929362/; classtype:trojan-activity; sid:24727; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24799; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; content:".confr",nocase; content:"rm -rf",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24800; rev:3; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*km0ae9gr6m*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24883; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*qhk6sa6g1c*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24884; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*c3284d*/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:misc-activity; sid:24899; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"ngatur"; content:"filenyo"; content:"ls -la"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/1e737d034848cc7cdec9940e09fd952c9357d24d25e430027649be91867e770e/analysis/; classtype:trojan-activity; sid:24900; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25084; rev:3; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; content:"Coded by fzk",nocase; content:"|40 00|smb.txt",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25085; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25086; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; content:"Two send|5B 25|d|5D|",nocase; content:"transerver.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25087; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25088; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; content:"One recv|5B 25|d|5D|",nocase; content:"sockconsole.pdb",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25089; rev:3; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25090; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; content:"Can|27|t Load",nocase; content:"Error Code: |5B 25|d|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25091; rev:3; ) -alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"cmd|3A 5B 2D|bindconnverb"; content:"bindconnverb command received",nocase; content:"verb |5B 2D|tran|5D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25092; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PERL.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"Mass Defacement"; content:"d:f:n",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25094; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"AnakDompu"; content:"Convertbytes",nocase; content:"explode",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3730e3c259cb4f727f7a803c23716ceacd640dab102ec61c3bda3974a4ef0175/analysis/; classtype:trojan-activity; sid:25095; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"post|5B 27|tac|27 5D|"; content:"login",nocase; content:"admin",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25096; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"lama|27|s|27|hell"; content:"execute",nocase; content:"htmlspecialchars",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25097; rev:2; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt"; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; file_data; pkt_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; file_data; pkt_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; file_data; pkt_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt"; flow:to_client,established; http_header; content:"filename=",nocase; pkt_data; content:"FlashPlayer.jar",within 17,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*eb167039d64daa68c565052678c517a4*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:26093; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; file_data; pkt_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; http_header; content:"Server|3A| Apache"; content:"Server|3A|nginx"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26369; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1942 ( msg:"MALWARE-OTHER Possible data upload - Bitcoin Miner User Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Ufasoft bitcoin-miner"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26395; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; pkt_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26531; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:",within 19,distance 151; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26532; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:7; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; http_header; content:"/in.cgi"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:7; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; http_uri; content:"/hi.cgi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-"; file_data; pkt_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26660; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26670; rev:2; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; content:"Developer ID Application: Rajinder Kumar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26671; rev:2; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:""; content:"",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26778; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; http_uri; content:"/sms/d_m009.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2; ) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-OTHER DNS information disclosure attempt"; flow:to_server; content:"|00 00 00|",offset 2; content:"|01|",within 1; content:"|3A|",within 1,distance 6; content:"|2D 2D 2D|",within 3,distance 30,fast_pattern; content:"|3A|",within 1,distance 25; content:"|01|",within 1,distance 58; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:attempted-user; sid:26803; rev:3; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26921; rev:1; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/?id=##1"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26933; rev:3; ) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_uri; content:"/?q="; content:"##1"; pcre:"/^\/\?q=[^&]*##1$/"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26934; rev:4; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27050; rev:1; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27051; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27055; rev:1; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27056; rev:1; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27059; rev:1; ) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER OSX.Trojan.HackBack file upload attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27060; rev:1; ) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER DirtJumper denial of service attack traffic"; flow:to_server,established; http_client_body; content:"login=",nocase; content:"&passwrd=",within 9,distance 2121,nocase; content:"&vb_login_md5password=",within 22,distance 235,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:attempted-dos; sid:27115; rev:2; ) -alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER OSX.Trojan.Janicab file download attempt"; flow:to_client,established; file_data; content:"RecentNews|2E E2 80 AE|fdp.app"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.f-secure.com/weblog/archives/00002576.html; classtype:attempted-admin; sid:27228; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Cookiebomb code injection attack"; flow:to_client,established; file_data; content:"a=0|3B|z=|22|y|22 3B|try{a*=25}catch("; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27229; rev:1; ) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"