snort2-docker/docker/etc/rules/os-windows.rules

1367 lines
757 KiB
Plaintext
Raw Normal View History

2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------------
# OS-WINDOWS RULES
#------------------
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"; flow:to_server,established; content:"|FF|SMB|2F 00 00 00 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5; byte_extract:2,6,mid,relative,little; content:"|FF 00|"; within:2; distance:1; byte_test:2,=,mid,2,relative,little; content:"|04 00|"; within:2; distance:12; byte_test:2,>,65000,0,relative,little; byte_test:2,>,500,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41984; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_server,established; file_data; content:"|8D 4C 24 60 48 8B D0 41 B9 4F 00 00 00 48 89 7C 24 28 C7 44 24 20 06 00 00 00 FF 15 47 FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41610; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_client,established; file_data; content:"|8D 4C 24 60 48 8B D0 41 B9 4F 00 00 00 48 89 7C 24 28 C7 44 24 20 06 00 00 00 FF 15 47 FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41609; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A FF 6A 00 6A 04 B8|"; content:"|25 00 F0 FF FF 83 E8 04 50 6A 06 B8|"; within:16; distance:4; content:"|6A 4F 83 E8 40 50 FF|"; content:"|50|"; within:1; distance:5; content:"|50 FF|"; within:2; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41608; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A FF 6A 00 6A 04 B8|"; content:"|25 00 F0 FF FF 83 E8 04 50 6A 06 B8|"; within:16; distance:4; content:"|6A 4F 83 E8 40 50 FF|"; content:"|50|"; within:1; distance:5; content:"|50 FF|"; within:2; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41607; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 01 68 EC BF EB 0A 8B|"; content:"|50 FF|"; within:2; distance:2; content:"|50 68 E6 22 69 F9 68 00 10 00 00 68 3B 1C 7B AA 8B|"; within:100; content:"|51 68 FF FF FF 7F 6A 00 8B|"; within:9; distance:2; content:"|52 FF|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0047; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41592; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 01 68 EC BF EB 0A 8B|"; content:"|50 FF|"; within:2; distance:2; content:"|50 68 E6 22 69 F9 68 00 10 00 00 68 3B 1C 7B AA 8B|"; within:100; content:"|51 68 FF FF FF 7F 6A 00 8B|"; within:9; distance:2; content:"|52 FF|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0047; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41591; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DirectComposition double free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtDCompositionProcessChannelBatchBuffer"; fast_pattern:only; content:"NtDCompositionCreateChannel"; nocase; content:"|C7 01 0B 00 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0024; reference:cve,2017-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41580; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectComposition double free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtDCompositionProcessChannelBatchBuffer"; fast_pattern:only; content:"NtDCompositionCreateChannel"; nocase; content:"|C7 01 0B 00 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0024; reference:cve,2017-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41579; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIiEQYJKoZIhvcNAQcCoIIiAjCCIf4CA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41572; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIarQYJKoZIhvcNAQcCoIIanjCCGpoCA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41571; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIa4AYJKoZIhvcNAQcCoIIa0TCCGs0C"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41570; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIiEQYJKoZIhvcNAQcCoIIiAjCCIf4CA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41569; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIarQYJKoZIhvcNAQcCoIIanjCCGpoCA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41568; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIa4AYJKoZIhvcNAQcCoIIa0TCCGs0C"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41567; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|50 00 00 00|"; within:150; byte_extract:4,36,cxSrc,relative,little; byte_test:4,<,cxSrc,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-recon; sid:41596; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|50 00 00 00|"; within:150; byte_extract:4,36,cxSrc,relative,little; byte_test:4,<,cxSrc,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-recon; sid:41595; rev:5;)
# alert icmp $HOME_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft ICMPv6 mismatched prefix length and length field denial of service attempt"; itype:134; icode:0; content:"|03 04|"; depth:2; offset:12; content:"|18 02|"; within:2; distance:30; byte_test:1,<,0x41,0,relative; reference:cve,2013-3183; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-065; classtype:denial-of-service; sid:27624; rev:2;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-WINDOWS Microsoft Windows TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|"; within:497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Vista SMB2 zero length write attempt"; flow:established, to_server; isdataat:!4; content:"|00 80 00 00|"; depth:4; reference:cve,2011-1267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-048; classtype:attempted-admin; sid:20132; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_client,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:26922; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26069; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26068; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_server,established; flowbits:isset,file.docm|file.docx|file.ppsx|file.pptx|file.xlsx; flowbits:isset,file.zip; file_data; content:"mx5a0ecw|21|9jX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26067; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.docm|file.docx|file.ppsx|file.pptx|file.xlsx; flowbits:isset,file.zip; file_data; content:"mx5a0ecw|21|9jX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26066; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request"; flow:to_server,established; content:"/RDWeb/Pages/en-US/login.aspx"; fast_pattern:only; http_uri; content:"ReturnUrl="; nocase; http_client_body; pcre:"/(^|&)ReturnUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3C|%3E|%28|%29|%73%63%72%69%70%74|%6f%6e%6c%6f%61%64|%73%72%63|script|onload|src)/Pi"; metadata:service http; reference:cve,2011-1263; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-061; classtype:web-application-attack; sid:25567; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS NVIDIA graphics driver nvsr named pipe buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:10; content:"|5C 00|n|00|v|00|s|00|r"; within:9; distance:49; metadata:service netbios-ssn; classtype:attempted-user; sid:25369; rev:7;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft .NET fully qualified System.Data.dll assembly name exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"S|00|y|00|s|00|t|00|e|00|m|00|.|00|D|00|a|00|t|00|a|00|.|00|d|00|l|00|l|00|,|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:attempted-user; sid:24656; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft .NET fully qualified System.Data.dll assembly name exploit attempt"; flow:to_server,established; content:"|2F|System.Data.dll,"; nocase; http_uri; metadata:service http; reference:cve,2012-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:attempted-user; sid:24655; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13|"; byte_extract:1,0,namelen,relative; content:"|00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24490; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 0C|"; byte_extract:1,0,namelen,relative; content:"|00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24489; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 1E|"; byte_extract:1,0,namelen,relative; content:"|00 00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24488; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,993,995] (msg:"OS-WINDOWS PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02 BD 00 01 00 01 00 16 8F|"; depth:10; offset:2; byte_test:2,>,32768,0,relative; metadata:service smtp, service ssl; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:24401; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"|2A 86 48 82 F7 12 01 02 02|"; fast_pattern; content:"|2A 86 48 86 F7 12 01 02 02|"; within:9; distance:2; content:"|2B 06 01 04 01 82 37 02 02|"; within:9; distance:2; metadata:service netbios-ssn; reference:cve,2012-2551; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-069; classtype:attempted-dos; sid:24360; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"scc.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24137; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"diff.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24136; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"view.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24135; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"ann.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24134; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"QE.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24133; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"build.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24132; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"Q.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24131; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft SCCM ReportChart xss attempt"; flow:to_server,established; content:"/ReportChart.asp?"; nocase; http_uri; content:"ReportID="; nocase; http_uri; pcre:"/[?&]ReportID=\d+?&[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-2536; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-062; classtype:web-application-attack; sid:24128; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV invalid character argument injection attempt"; flow:to_client,established; flowbits:isset,ms.webdav.propfind; file_data; content:"<D:href"; fast_pattern; nocase; content:"%"; within:50; pcre:"/^(3C|3E|3A|22|7C|3F|2A|5C)/iR"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54307; reference:cve,2012-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-048; classtype:attempted-user; sid:24090; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft WebDAV PROPFIND request"; flow:to_server,established; content:"PROPFIND"; http_method; content:"User-Agent: Microsoft-WebDAV"; fast_pattern:only; http_header; flowbits:set,ms.webdav.propfind; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24089; rev:6;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|C0 0C 00 23 00 01|"; offset:16; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; byte_jump:1,10,relative; byte_jump:1,0,relative; byte_test:1,>,0x7f,0,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:23951; rev:4;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|C0 0C 00 23 00 01|"; offset:16; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; byte_test:1,>,0x7f,10,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:23950; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows Terminal server RDP freed memory write attempt"; flow:to_server,established; content:"|7F 65 82 01 94 04 01 01 04 01 01|"; fast_pattern; byte_test:4,>,0x22,7,relative; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:1024; isdataat:512,relative; pcre:"/^\x00{512}/R"; metadata:policy security-ips drop, service rdp; reference:cve,2012-2526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-053; classtype:attempted-admin; sid:23846; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,139] (msg:"OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00 00|"; distance:11; content:"|FF|SMB%|00 00 00 00|"; within:9; distance:68; content:"|5C|MAILSLOT|5C|BROWSE|00 01|"; within:18; distance:60; content:"%"; within:16; distance:5; content:"|5C|MAILSLOT|5C|BROWSE|00 01|"; depth:18; offset:151; pcre:"/^.{5}[^\x00]*?\%(\d+\x24)?(\d+)?[nxcsd][^\x00]*?\x00/smiR"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1851; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:23837; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [2300:2400] (msg:"OS-WINDOWS Microsoft Windows DirectX IDirectPlay4 denial of service attempt"; flow:to_server; content:"play"; depth:4; content:"|2D 00 0B 00|"; within:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:!"|18 00 00 00|"; within:4; reference:cve,2004-0202; classtype:attempted-dos; sid:23437; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2300:2400] (msg:"OS-WINDOWS Microsoft Windows DirectX IDirectPlay4 denial of service attempt"; flow:to_server,established; content:"play"; depth:4; content:"|2D 00 0B 00|"; within:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:!"|18 00 00 00|"; within:4; reference:cve,2004-0202; classtype:attempted-dos; sid:23436; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows large image resize denial of service attempt"; flow:to_client,established; file_data; content:"<img "; fast_pattern:only; pcre:"/\x3cimg[^\x3e]*?(width|height)\s*=\s*[\x22\x27]?\d{6}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,archives.neohapsis.com/archives/fulldisclosure/2004-08/0330.html; classtype:attempted-dos; sid:23408; rev:5;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:23233; rev:4;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 01|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:23232; rev:4;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; content:"|0C|"; distance:0; byte_test:1,>,150,0,relative; isdataat:150,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:23231; rev:4;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,60,0,relative; content:"|01|"; within:1; distance:1; isdataat:60,relative; content:"|0C|"; distance:0; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:23230; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|l|00|a|00|n|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1849; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23163; rev:6;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"n|00|c|00|r|00|y|00|p|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1849; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23162; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET framework malicious XBAP attempt"; flow:to_client,established; file_data; content:"PublicKeyToken=b77a5c561934e089"; fast_pattern:only; content:"System.Collections.Generic.ICollection<T>.get_Count"; content:"TryGetGlyphTypeface|00|Exception|00|WindowsBase|00|Point|00|GlyphRun|00|IList|60 31 00|"; distance:0; content:"ComputeInkBoundingBox"; distance:0; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0162; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-034; classtype:attempted-user; sid:22090; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET framework EvidenceBase class remote code execution attempt"; flow:to_client,established; file_data; content:"<Module>|00|"; content:"|00|MyEvidence|00|MyAssembly|00|De"; within:25; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0160; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-035; classtype:attempted-user; sid:22079; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; file_data; content:"HTTP t_"; depth:7; content:"|0D 0A|"; within:2; distance:148; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:21754; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wintab32.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-022; classtype:attempted-user; sid:21567; rev:7;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|i|00|n|00|t|00|a|00|b|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-022; classtype:attempted-user; sid:21566; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|00 00 00 16 00 56 05 07 00 04 01 00 00 00 00|"; within:15; distance:60; isdataat:564,relative; content:!"|00 00|"; within:564; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:attempted-admin; sid:21529; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt"; flow:to_server,established; file_data; content:"|6C 74 01 00|"; depth:4; byte_test:4,<,60,0,relative,little; metadata:service smtp; reference:cve,2011-0658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-038; classtype:attempted-user; sid:21357; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|fputlsat.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-017; classtype:attempted-user; sid:21310; rev:7;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"f|00|p|00|u|00|t|00|l|00|s|00|a|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-017; classtype:attempted-user; sid:21309; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|STI.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-5082; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,shinnai.altervista.org/exploits/SH-006-20100914.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-012; classtype:attempted-user; sid:21290; rev:10;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"|5C 00|S|00|T|00|I|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-5082; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,shinnai.altervista.org/exploits/SH-006-20100914.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-012; classtype:attempted-user; sid:21289; rev:11;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:21281; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC ISystemActivate flood attempt"; flow:to_server,established,only_stream; content:"|00|"; depth:1; offset:2; dce_iface:000001a0-0000-0000-c000-000000000046; dce_stub_data; content:"MEOW"; detection_filter:track by_src, count 100, seconds 5; metadata:service netbios-ssn; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-012; classtype:protocol-command-decode; sid:21262; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt"; flow:to_server,established; content:"|03 00 00 27 22 E0|"; fast_pattern; content:"Cookie:"; distance:0; nocase; content:"mstshash="; distance:0; nocase; content:"Cookie:"; distance:0; nocase; isdataat:129; content:!"|0D 0A|"; within:129; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:attempted-dos; sid:21089; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows remote desktop denial of service attempt"; flow:to_server,established; content:"|30|"; depth:1; content:"|03 00 00 27 22 E0|"; within:6; distance:1; content:"mstshash="; distance:0; nocase; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:attempted-dos; sid:21088; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt"; flow:to_server,established; content:"|2F|packager.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-002; classtype:attempted-user; sid:20879; rev:7;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"p|00|a|00|c|00|k|00|a|00|g|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-002; classtype:attempted-user; sid:20878; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player DirectShow MPEG-2 memory corruption attempt"; flow:to_client,established; file_data; content:"|00 03 00 00 11 20|"; depth:6; byte_test:4,>,32,0,relative; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:20744; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] (msg:"OS-WINDOWS Microsoft Windows Active Directory Crafted LDAP ModifyRequest"; flow:to_server,established; content:"0|83|"; depth:2; content:"|66 84|"; within:16; byte_test:3,>,0x0F0000,2; metadata:policy max-detect-ips drop; reference:cve,2007-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-039; classtype:attempted-admin; sid:20671; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"OS-WINDOWS Microsoft Windows RSH daemon buffer overflow attempt"; flow:to_server,established; isdataat:1032; content:"|00|"; depth:1; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; reference:cve,2007-4005; reference:cve,2007-4006; classtype:attempted-admin; sid:20603; rev:4;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows IppRateLimitIcmp integer overflow exploit attempt"; icode:3; itype:3; detection_filter:track by_src,count 500,seconds 15; reference:cve,2011-2013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:20543; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Forefront UAG NLSessionS cookie overflow attempt"; flow:to_server,established; content:"NLSessionS"; pcre:"/(NLSessionS[^=\s]*)\s*=\s*\x3B.*\1\s*=[^\s\x3B]/C"; metadata:service http; reference:cve,2011-2012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-dos; sid:20272; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1478 (msg:"OS-WINDOWS Microsoft Windows Host Integration Server SNA length dos attempt"; flow:to_server; content:"|01|"; depth:1; offset:2; byte_test:2,>,16,55,little; reference:cve,2011-2007; reference:cve,2011-2008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-082; classtype:attempted-dos; sid:20271; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt"; flow:to_server,established; content:"javascript|3A|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1897; reference:cve,2012-0017; reference:cve,2015-6099; reference:cve,2016-3212; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:20258; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ForeFront UAG ExcelTable.asp XSS attempt"; flow:to_server,established; content:"ExcelTable.asp"; fast_pattern:only; http_uri; content:"tableData="; nocase; http_client_body; pcre:"/^[^\&\r\n]*[<\(][^\&\r\n]+[\)>]/R"; metadata:service http; reference:cve,2011-1896; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20257; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"OS-WINDOWS Microsoft Forefront UAG http response splitting attempt"; flow:to_server,established; content:"/ExcelTable.asp"; nocase; content:"table="; distance:0; content:"%0d%0a"; distance:0; nocase; pcre:"/table=.*\x250d\x250a.*HTTP\/1/smi"; reference:cve,2011-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20256; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|oleacc.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1247; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-075; classtype:attempted-user; sid:20254; rev:9;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt"; flow:to_server,established; content:"o|00|l|00|e|00|a|00|c|00|c|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1247; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-075; classtype:attempted-user; sid:20253; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1027:1050] (msg:"OS-WINDOWS Microsoft Windows WINS internal communications on network exploit attempt"; flow:to_server,no_stream; dsize:24; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<,2,0; detection_filter:track by_src,count 10, seconds 2; reference:cve,2011-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-070; classtype:attempted-user; sid:20120; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|deskpan.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1991; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-071; classtype:attempted-user; sid:20119; rev:9;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt"; flow:to_server,established; content:"d|00|e|00|s|00|k|00|p|00|a|00|n|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1991; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-071; classtype:attempted-user; sid:20118; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Report Viewer reflect XSS attempt"; flow:to_server,established; content:"ReportID|3D|"; nocase; http_uri; content:"ControlID|3D|"; nocase; http_uri; content:"TimerMethod|3D|"; nocase; http_uri; pcre:"/TimerMethod\x3D[^\x26]*[\x3C\x28\x22\x27]/Ui"; metadata:service http; reference:cve,2011-1976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-067; classtype:attempted-user; sid:19681; rev:4;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|00 23 00 01|"; depth:10; offset:34; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; pcre:"/^.{28}\x00[\xff\x23]\x00\x01(.{2}|.{8})\x00\x23\x00\x01/"; byte_jump:1,10,relative; byte_jump:1,0,relative; byte_test:1,>,128,0,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:19677; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|bidlab.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1975; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-059; classtype:attempted-user; sid:19674; rev:8;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt"; flow:to_server,established; content:"b|00|i|00|d|00|l|00|a|00|b|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1975; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-059; classtype:attempted-user; sid:19673; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request"; flow:to_server,established; content:"/RDWeb/Pages/en-US/login.aspx"; fast_pattern:only; http_uri; content:"ReturnUrl="; nocase; http_uri; pcre:"/[?&]ReturnUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2011-1263; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-061; classtype:web-application-attack; sid:19665; rev:10;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft invalid message kernel-mode memory disclosure attempt"; flow:to_client,established; file_data; content:"|79 29 00 00 E9 D8 38 00 00 E9 E0 11 00 00 E9 5E 72 00 00 E9 99 71 00 00 E9 47 31 00 00 E9 55 6E 00 00 E9 A9 57 00 00 E9 CC 37 00 00 E9 AB 9C 00|"; fast_pattern:only; metadata:service http; reference:cve,2011-1886; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19469; rev:6;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft stale data code execution attempt"; flow:to_client,established; file_data; content:"|00 74 02 EB 19 68 00 B0 40 00 E8 1E 01 00 00 83 C4 04 8B 4D 08 51 FF 15 BC CA 40 00 EB 18 8B 55 14 52 8B 45 10 50 8B 4D 0C 51 8B 55 08 52 FF 15|"; fast_pattern:only; metadata:service http; reference:cve,2011-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19468; rev:6;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|00 74 02 EB 19 68 00 B0 40 00 E8 28 01 00 00 83 C4 04 8B 4D 08 51 FF 15 14 81 40 00 EB 18 8B 55 14 52 8B 45 10 50 8B 4D 0C 51 8B 55 08 52 FF 15|"; fast_pattern:only; metadata:service http; reference:cve,2011-1874; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19467; rev:6;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Visio mfc71 dll-load attempt"; flow:to_server,established; content:"m|00|f|00|c|00|7|00|1|00|"; fast_pattern; nocase; content:".|00|d|00|l|00|l|00|"; within:14; nocase; metadata:service netbios-ssn; reference:cve,2010-3148; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-055; classtype:attempted-user; sid:19465; rev:10;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft CSRSS integer overflow attempt"; flow:to_client,established; file_data; content:"|66 89 4D E6 C7 45 E0 00 00 00 80 8D 55 E0 52 8B 45 E4 50 68 00 00 00 80 8D 4D F8 51 8B 55 DC 52|"; fast_pattern:only; metadata:service http; reference:cve,2011-1870; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19464; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS double free attempt"; flow:to_client,established; file_data; content:"|4A 10 33 C0 8B 4D FC 66 89 41 16 33 D2 8B 45 FC 66 89 50 12 8B 4D FC C7 41 0C 11 14 14 14 6A 1C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19463; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS negative array index code execution attempt"; flow:to_client,established; file_data; content:"|45 E0 00 80 00 00 C7 45 E4 0A 00 00 00 C7 45 E8 00 00 00 00 8B F4 8D 45 DC 50 FF 15 A8 81 41 00 3B F4 E8 3A FD FF FF 89 45 F4 8B F4 FF 15 A4 81|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19462; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|74 02 EB 19 68 00 00 01 00 0F B7 45 EC 50 68 D0 F0 42 00 E8 DA F3 FF FF 83 C4 0C EB A1 0F B7 45|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-056; classtype:attempted-user; sid:19461; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS multiple consoles on a single process attempt"; flow:to_client,established; file_data; content:"|50 92 40 00 E8 8E 04 00 00 83 C0 40 50 E8 F9 03 00 00 83 C4 0C 6A 01 E8 87 03 00 00 68 9C 92 40|"; fast_pattern:only; metadata:service http; reference:cve,2011-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19460; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Visual Studio information disclosure attempt"; flow:to_client,established; file_data; content:"<!ENTITY"; content:"SYSTEM"; within:50; content:"<!ENTITY"; distance:0; content:"SYSTEM"; within:50; content:"http|3A 2F 2F|"; within:100; nocase; pcre:"/\x3C\x21ENTITY\s+(?P<name>\w+)\s+SYSTEM\s+\x22[a-zA-Z]\x3A\x5C.*?\x3C\x21ENTITY\s+\w+\s+SYSTEM\s+\x22[hH][tT]{2}[pP]\x3A\x2f{2}[^\x22]*\x3D\x26(?P=name)/s"; metadata:service http; reference:cve,2011-1280; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-049; classtype:misc-attack; sid:19234; rev:6;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Smb2Create_Finalize malformed EndOfFile field exploit attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; nocase; content:"|05 00|"; within:2; distance:6; content:"|59 00|"; within:2; distance:50; byte_test:1,>,0x80,53,relative; metadata:service netbios-ssn; reference:cve,2011-1268; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-043; classtype:attempted-admin; sid:19199; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB2 zero length write attempt"; flow:established, to_server; content:"|FE|SMB|40 00|"; nocase; content:"|09 00|"; within:8; content:"|00 00 00 00|"; within:4; distance:54; reference:cve,2011-1267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-048; classtype:attempted-admin; sid:19191; rev:6;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; byte_test:2,>,0x28,26,little,relative; metadata:service netbios-ssn; reference:cve,2011-1868; reference:cve,2011-1869; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:19188; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET ArraySegment escape exploit attempt"; flow:to_client,established; file_data; content:"|00 6E 00 6E 00 6F 00 63 00 65 00 6E 00 74 00 41 00 72 00 72|"; fast_pattern:only; metadata:service http; reference:cve,2011-0664; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-039; classtype:attempted-user; sid:19185; rev:6;)
# alert udp $HOME_NET any -> $HOME_NET [138,139] (msg:"OS-WINDOWS Microsoft Windows 2003 browser election remote heap overflow attempt"; content:"|5C|MAILSLOT|5C|"; nocase; content:"|00 08|"; distance:0; pcre:"/\x5cMAILSLOT\x5c[^\x00]*\x00\x08.{13}[^\x00]{56}/si"; reference:bugtraq,46360; reference:cve,2011-0654; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-019; classtype:attempted-admin; sid:18994; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; content:"HTTP 4|0A|"; depth:7; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:18962; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft WINS service oversize payload exploit attempt"; flow:to_server,established,no_stream; dsize:>1400; reference:cve,2011-1248; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-035; classtype:attempted-admin; sid:18950; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AFD.SYS null write attempt"; flow:to_client,established; file_data; content:"|6A 18 50 68 AB 80 40 00 89 BD B0 FC FF FF 89 B5 B8 FC FF FF|"; fast_pattern:only; metadata:service http; reference:cve,2011-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-046; classtype:attempted-admin; sid:18691; rev:8;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|1|00|0|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18629; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|9|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18628; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|8|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18627; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|4|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18626; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|4|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18625; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET framework optimizer escalation attempt"; flow:to_client,established; file_data; content:"|00|Program|00|Big|00|Misaligned|00|"; nocase; metadata:service http; reference:cve,2010-3958; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-028; classtype:attempted-user; sid:18624; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc100.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18623; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc90.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18622; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc80.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18621; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc42.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18620; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc40.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18619; rev:10;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"i|00|a|00|c|00|e|00|n|00|c|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,42730; reference:cve,2010-3138; reference:cve,2010-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-014; classtype:attempted-user; sid:18532; rev:10;)
# alert udp $HOME_NET 138 -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows 2003 browser election remote heap overflow attempt"; content:"|5C|MAILSLOT|5C|BROWSER|00 08 09|"; content:"|00 00 00 00|"; within:4; distance:8; isdataat:15,relative; content:!"|00|"; within:15; reference:bugtraq,46360; reference:cve,2011-0654; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-019; classtype:attempted-admin; sid:18462; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0090; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18413; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; fast_pattern:only; metadata:service http; reference:cve,2011-0045; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18408; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Hypervisor OS-WINDOWS vfd download attempt"; flow:to_client,established; file_data; content:"|29 66 3A E1 58 4E 4F 20 4E 41 4D 45 20 20 20 20 46 41 54 31 32 20 20 20 6A 00|"; fast_pattern:only; metadata:service http; reference:cve,2010-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-010; classtype:attempted-admin; sid:18396; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS association context validation overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; content:"|00 E4 FF 58|"; depth:4; offset:16; metadata:service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:18320; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:25; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:18315; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; depth:2; byte_test:2,>,5,0,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:26; metadata:service dcerpc, service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:18267; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; byte_test:2,>,5,0,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:26; metadata:service dcerpc; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:18266; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Fax Services Cover Page Editor overflow attempt"; flow:to_client,established; file_data; content:"FAXCOVER-VER005w"; nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|"; within:100; fast_pattern; metadata:service http; reference:url,www.vupen.com/english/advisories/2010/3327; classtype:attempted-user; sid:18246; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|s|00|f|00|e|00|r|00|r|00|o|00|r|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18227; rev:14;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|i|00|n|00|i|00|e|00|t|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18226; rev:15;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|m|00|e|00|r|00|r|00|o|00|r|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18225; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|asferrorenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18224; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|winietenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18223; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wmerrorenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18222; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS NETAPI RPC interface reboot attempt"; flow:established, to_server; dce_iface:12345678-1234-ABCD-EF00-01234567CFFB; dce_opnum:29; dce_stub_data; content:"|00 00|"; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:30; pcre:"/\x00\x00.{30}\x01\x00{7}$/"; metadata:service netbios-ssn; reference:cve,2010-2742; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-101; classtype:attempted-user; sid:18215; rev:8;)
# alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt"; flow:to_client,established; content:"h|00|h|00|c|00|t|00|r|00|l|00|.|00|o|00|c|00|x|00|"; nocase; metadata:service netbios-ssn; reference:cve,2010-3967; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-093; classtype:attempted-user; sid:18211; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt"; flow:to_server,established; content:"|2F|hhctrl.ocx"; nocase; http_uri; metadata:service http; reference:cve,2010-3967; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-093; classtype:attempted-user; sid:18210; rev:9;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt"; flow:to_server,established; content:"p|00|e|00|e|00|r|00|d|00|i|00|s|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3966; reference:cve,2011-2019; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:18209; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|peerdist.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3966; reference:cve,2011-2019; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:18208; rev:13;)
# alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Address Book smmscrpt.dll malicious DLL load"; flow:to_client,established; content:"s|00|m|00|m|00|s|00|c|00|r|00|p|00|t|00|.|00|d|00|l|00|l|00|"; nocase; metadata:service netbios-ssn; reference:cve,2010-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-097; classtype:attempted-user; sid:18203; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book smmscrpt.dll malicious DLL load"; flow:to_server,established; content:"smmscrpt.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-097; classtype:attempted-user; sid:18202; rev:9;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt"; flow:to_client,established; dsize:4; content:"|00 00 00 01|"; depth:4; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:18195; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|com"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?([\x25\x22]\x2Ecom|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18173; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|cmd"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ecmd((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18172; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|bat"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ebat((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:cve,2007-5020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18171; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Forefront UAG URL XSS attempt"; flow:to_server, established; content:"|2F|m|2F|default|2E|aspx"; fast_pattern; nocase; http_uri; content:"orig_url="; nocase; http_uri; pcre:"/orig_url=[^\x26]*[\x22\x27\x28\x29\x3C\x3E]/Ui"; metadata:service http; reference:cve,2010-2734; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18074; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG arbitrary embedded scripting attempt"; flow:to_server,established; content:"|2E|asp|3F|"; nocase; http_uri; content:"ONMOUSEOVER|3D 27|"; nocase; http_uri; metadata:service http; reference:cve,2010-2733; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-user; sid:18073; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG external redirect attempt"; flow:to_server,established; content:"|2F|redir|2E|asp|3F|"; nocase; http_uri; content:"TARGET|3D|"; nocase; http_uri; content:"Host|3A|"; http_header; pcre:"/\x2fredir\x2easp\x3f[^\s]*TARGET\x3d(\w{3,6}\x3a\x2f\x2f)?[^\x26\x3d\x2f\x20]*([a-z0-9\x2d]+\x2e[a-z0-9\x2d]+)[\x2f\x20\x26].*^Host\x3a/Osmi"; isdataat:10,relative; pcre:!"/\x2fredir\x2easp\x3f[^\s]*TARGET\x3d(\w{3,6}\x3a\x2f\x2f)?[^\x26\x3d\x2f\x20]*([a-z0-9\x2d]+\x2e[a-z0-9\x2d]+)[\x2f\x20\x26].*^Host\x3a[^\n]*\1/Osmi"; metadata:service http; reference:cve,2010-2732; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:policy-violation; sid:18072; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|53 51 86 A4 50 1D CD 50 3B D5 D0 6C E3 D5 19 36 A5 55 34 63 7A 7B B1 04 1D E7 EF 6A 69 49 8A 54 D1 73 FD 0C F7 02 5E FA 70 4E E8 68 94 FF 14 1E DC 80 7B 58 96 D0 4A 7C DF F0 5C F0 50 88 73 8D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:17626; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17468; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*[\x22\x27][a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17467; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"P|00|a|00|r|00|e|00|n|00|t|00|I|00|d|00|n|00|a|00|m|00|e|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:17413; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; file_data; content:"bXYZ"; content:"gXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; content:"bXYZ"; within:4; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17349; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; file_data; content:"gXYZ"; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17348; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Folder GUID Code Execution attempt"; flow:to_client,established; file_data; content:".|7B|3050F4D8-98B5-11CF-BB82-00AA00BDCE0B|7D|"; fast_pattern:only; pcre:"/\x252e\x252e\x255c[^\s\x2e]*?\x2e\x7B3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\x7d/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19389; reference:cve,2006-3281; classtype:attempted-user; sid:17316; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"OS-WINDOWS Microsoft Windows LSASS integer overflow attempt"; flow:to_server,established; content:"|6D 64 DE A8 E3 21 30 84 FF FF FF F9 02 01 04 63 84 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ldap; reference:cve,2010-0820; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-068; classtype:attempted-user; sid:17249; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player skin decompression code execution attempt"; flow:to_client,established; file_data; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25307; reference:cve,2007-3035; classtype:attempted-user; sid:17228; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt"; flow:established, to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:2,<,12,34,relative,little; content:"|03 00|"; within:2; distance:56; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2010-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-054; classtype:attempted-admin; sid:17125; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC rpcss2 _RemoteGetClassObject attempt"; content:"|5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 34 00|"; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-user; sid:17112; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDIplus integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:"|20|EMF"; within:4; distance:36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:misc-activity; sid:16679; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt"; flow:established, to_client; file_data; content:"HMACOutputLength"; fast_pattern:only; content:"SignatureMethod"; nocase; pcre:"/<\s*(ds:)?HMACOutputLength\s*>\s*\d\s*<\/\s*(ds:)?HMACOutputLength\s*>/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-041; classtype:misc-attack; sid:16636; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:16578; rev:7;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt"; flow:to_client,established; flowbits:isset,smb.query_sec_desc; flowbits:unset,smb.query_sec_desc; content:"|FF|SMB|A0 05 00 00 80|"; depth:9; offset:4; isdataat:24,relative; byte_jump:1,23,relative, multiplier 2; content:"|00|"; within:1; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2010-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:16539; rev:7;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2"; flow:to_client,established; dsize:4; content:"|00 00 00 9A|"; depth:4; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16454; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows embedded OpenType font engine LZX decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"|DE 0D 00 00 82 0C 00 00 02 00 02 00 E5|"; content:"|53 50 13 80 50 59 53 50 5B 7C D0 55 FD 06 58 94 D3 E3 98 7C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,37671; reference:cve,2010-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-001; classtype:attempted-admin; sid:16366; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ TIFF RLE compressed data buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|"; distance:0; content:"P|DC 9A 86 E4 D4|7&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7"; fast_pattern:only; metadata:service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16327; rev:7;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt"; flow:to_client,established; content:"|00 00 00 9A FE|SMB"; depth:8; isdataat:126,relative; content:"|1E 00| LM `|1C|"; within:8; distance:118; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16287; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt"; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_jump:4,8,multiplier 2,dce; byte_test:4,>,256,16,relative,dce; metadata:service netbios-dgm; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; classtype:attempted-admin; sid:16239; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:to_server,established; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_jump:4,8,multiplier 2,dce; byte_test:4,>,256,16,relative,dce; metadata:service netbios-ssn; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; classtype:attempted-admin; sid:16238; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt"; flow:to_server,established; seq:3927875496; flags:R; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34414; reference:cve,2009-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-dos; sid:16221; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ compressed TIFF file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|"; distance:0; content:"&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7&|A1 B9|"; distance:0; metadata:service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16185; rev:7;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI ASN.1 integer overflow attempt"; flow:to_client,established; content:"|55 04|"; content:"|80 80 80 03 0C|"; within:20; metadata:service ssl; reference:cve,2009-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:attempted-user; sid:16181; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS Microsoft Windows SMBv2 integer overflow denial of service attempt"; flow:to_server, established; content:"|FE|SMB|40 00|"; isdataat:1000; content:"|00 00 00 00 0B 00|"; within:6; distance:2; content:"|94 01 06 00|"; within:4; distance:54; fast_pattern; byte_test:4,>,61440,20,relative,little; metadata:service netbios-ssn; reference:cve,2009-2526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-admin; sid:16168; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS Microsoft Windows LSASS integer wrap denial of service attempt"; flow:to_server, established; content:"|05|"; content:"|10|"; within:1; distance:1; content:"|0A 04|"; within:2; distance:17; content:"NTLMSSP|00 03 00 00 00|"; within:12; distance:6; content:!"|00 00|"; within:2; distance:8; byte_test:2, <, 48, 8, relative, little; metadata:service netbios-ssn; reference:cve,2009-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-059; classtype:attempted-dos; sid:16167; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_client,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:16157; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"OS-WINDOWS MS-SQL convert function unicode overflow"; flow:to_server,established; content:"S|00|E|00|L|00|E|00|C|00|T|00| |00|C|00|O|00|N|00|V|00|E|00|R|00|T|00 28 00|v|00|a|00|r|00|c|00|h|00|a|00|r|00|,|00|c|00|r|00|e|00|a|00|t|00|e|00|d|00|a|00|t|00|e|00|,|00|1|00|2|00|3|00|4|00|5|00|6|00|7|00|8|00|9|00|0|00 29 00| |00|F|00|R|00|O|00|M|00| |00|s|00|y|00|s|00|u|00|s|00|e|00|r|00|s"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:16073; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Negotiate SSP buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20; nocase; http_header; content:"YIIAEwYGKwYBBQUCoAkwB6EFIwMDAQc=|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,10113; reference:cve,2004-0119; classtype:attempted-admin; sid:15996; rev:8;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft ISA Server DNS spoofing attempt"; flow:to_client; content:"|C0 0C 00 0C 00 01 00 01|Q|80 00 0F 03|www|05|yahoo|03|com|00|"; metadata:service dns; reference:bugtraq,11605; reference:cve,2004-0892; classtype:misc-attack; sid:15988; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt"; flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:service http; reference:bugtraq,11342; reference:cve,2004-0847; classtype:attempted-user; sid:15985; rev:7;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Explorer long share name buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 00 F5 01 00 00 00 00 00 00 F5 01 00 00|A|00|A|00|A|00|A|00|A|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,10213; reference:cve,2004-0214; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-037; classtype:attempted-user; sid:15965; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows javascript arguments keyword override rce attempt"; flow:to_client,established; file_data; content:"function arguments"; fast_pattern:only; pcre:"/function arguments\s*\x28\s*\x29\s*\x7b/"; metadata:service http; reference:cve,2009-1920; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-045; classtype:attempted-user; sid:15913; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Color Management Module remote code execution attempt"; flow:to_client,established; file_data; content:"|11 11 12 12 12 0B 0D 14 15 14 12 15 10 12 12 11 01 03 03 03 04 03 04 08 04 04 08 11 0B 0A 0B 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 FF C4 01 A2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2005-1219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-016; classtype:attempted-admin; sid:15894; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 09|"; depth:8; offset:12; byte_test:4,>,65535,0,relative,big; metadata:policy max-detect-ips drop, service netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:15849; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt"; flow:to_server; content:"0|17 A0 03 02 01 02 A1 10|0|0E 1B 06|krbtgt|1B 04|A123"; content:"|0F|n|FB C0|"; distance:0; metadata:service kerberos; reference:cve,2004-0540; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-user; sid:15701; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product snews uri handling code execution attempt"; flow:to_client,established; file_data; content:"snews|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:15684; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt"; flow:to_client,established; file_data; content:"AAAAAAAA|00 00 00|0stts|04 00 00 00|"; metadata:service http; reference:cve,2009-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15680; rev:7;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows srvsvc NetrShareEnum netname overflow attempt"; flow:to_client,established; content:"y|06 00 00 00 00 00 00|y|06 00 00|A|00|A|00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-0228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; classtype:protocol-command-decode; sid:15523; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; byte_test:2,>,5,0,dce,relative; byte_test:4,!=,0,26,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:38; metadata:service dcerpc; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:15513; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; depth:2; byte_test:2,>,5,0,dce,relative; byte_test:4,!=,0,26,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:38; metadata:service dcerpc, service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:15512; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows ISA Server cross-site scripting attempt"; flow:to_server,established; content:"CookieAuth.dll"; nocase; http_uri; content:"GetLogonRedir"; distance:0; fast_pattern; nocase; http_uri; content:"formdir="; distance:0; nocase; http_uri; content:"reason="; nocase; http_uri; pcre:"/reason=[^\r\n\x26]+(alert|script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/iU"; metadata:service http; reference:cve,2009-0237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-user; sid:15475; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LISTt|B4 08 00|movi00db@J|00 00 D0 F5|"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:15457; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15227; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15226; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15225; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15224; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15223; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15222; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15221; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15219; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15218; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15217; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15216; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15215; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15214; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15213; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15212; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15211; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15210; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15209; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15208; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15207; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15206; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15205; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15204; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15203; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15202; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15201; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15200; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15199; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15198; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15197; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15142; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15141; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15140; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15139; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15138; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15137; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15136; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15135; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15134; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15133; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15132; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15131; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15130; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15129; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15128; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15127; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt"; flow:to_client,established; file_data; content:"file|3A 2F 2F 5C 5C|"; nocase; pcre:"/file\x3A\x2F\x2F\x5C\x5C[^\s\x22\x27]{234}/smi"; metadata:service http; reference:cve,2008-4259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15115; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; pcre:"/^.{28}(\x00\x1f|\x00\x20)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14896; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14783; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:1; dce_stub_data; isdataat:16; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-3479; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-065; classtype:attempted-admin; sid:14726; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14654; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14653; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14652; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14651; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14650; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14648; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14647; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows print spooler little endian DoS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; content:"b|00|l|00|a|00|h|00|_|00|b|00|l|00|a|00|h|00|"; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13594; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt"; flow:to_client,established; file_data; content:"<D|3A|href>"; fast_pattern; nocase; isdataat:520,relative; content:!"</D|3A|href>"; within:520; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-007; classtype:attempted-user; sid:13474; rev:11;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows vbscript/jscript scripting engine begin buffer overflow attempt"; flow:to_client,established; content:"VBScript.Encode"; content:"|23|@~^"; distance:0; isdataat:6,relative; content:!"="; within:1; distance:6; metadata:policy max-detect-ips drop; reference:cve,2008-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-022; classtype:attempted-user; sid:13448; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|exe"; within:500; nocase; pcre:"/mailto\x3A[^\n\s]*?(\x2Eexe((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13272; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product telnet uri handling code execution attempt"; flow:to_client,established; file_data; content:"telnet|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13271; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product news uri handling code execution attempt"; flow:to_client,established; file_data; content:"news|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13270; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product nntp uri handling code execution attempt"; flow:to_client,established; file_data; content:"nntp|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13269; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt"; flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; reference:cve,2007-5351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-063; classtype:attempted-admin; sid:12947; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt"; flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; metadata:service netbios-ssn; reference:cve,2007-5351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-063; classtype:attempted-admin; sid:12946; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; file_data; content:"|22|.bat"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2Ebat/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:12687; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows URI External handler arbitrary command attempt"; flow:to_client,established; content:"%00%00"; pcre:"/(mailto|telnet|news|nntp|snews)\x3A%00%00/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:12643; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS RPC NTLMSSP malformed credentials"; flow:to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; metadata:policy max-detect-ips drop; reference:cve,2007-2228; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-058; classtype:denial-of-service; sid:12642; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 2000 Kodak Imaging large offset malformed jpeg tables"; flow:to_client,established; file_data; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, >, 32767, 2, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12632; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 2000 Kodak Imaging small offset malformed jpeg tables"; flow:to_client,established; file_data; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, =, 0, 2, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12631; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Visual Studio Crystal Reports RPT file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|FE FF|"; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; within:16; distance:26; content:!"|01 00 00 00|"; within:4; distance:-20; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-052; reference:url,www.lssec.com/advisories/LS-20061102.pdf; classtype:attempted-user; sid:12463; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:50; fast_pattern; nocase; http_header; pcre:"/^Authorization\x3a\s*Negotiate\s*((YE4G.{40}LgMc)|(YIIQ.{40}(QUFB|hAJ9|n5Bh|ST0k)))/smiH"; metadata:service http; reference:bugtraq,9633; reference:cve,2003-0818; reference:cve,2005-1935; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:12058; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:5; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,28,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11843; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; isdataat:24; content:!"|00 00 00 02|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:16; byte_test:4,>,276,0,relative; metadata:service wins; reference:bugtraq,11922; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; classtype:misc-attack; sid:11684; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss _RemoteGetClassObject attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11074; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; metadata:service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11073; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt"; flow:to_server,established; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:7; dce_stub_data; pcre:"/^.{8}(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:10603; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:to_server,established; dce_iface:2f5f6520-ca46-1067-b319-00dd010662da; dce_opnum:1; dce_stub_data; content:"E|00 00 00|"; depth:4; offset:32; byte_test:4,>,1024,-16,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9914; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; fast_pattern:only; content:"numfills"; pcre:"/recolorinfo[^>]*numfills\s*=\s*\x22/si"; byte_test:10,>,10000000,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9848; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt"; flow:to_server,established; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9769; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9643; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|40 52 D1 86 1D 31 D0 11 A3 A4 00 A0 C9 03 48 F6|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9642; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|90 08 00 33 B1 E5 CF 11 89 F4 00 A0 C9 03 49 CB|"; byte_test:4,>,715827882,36,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9641; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt"; flow:to_client,established; file_data; content:"<ref"; nocase; content:"href"; distance:0; nocase; pcre:"/<ref\s+href\s*=\s*\x22([^\x22]{2}|(\x25[0-9A-Z]{2}){1,2})\x3A\x2F[^\x22]{100}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21247; reference:cve,2006-6134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-078; classtype:attempted-user; sid:9625; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Agent buffer overflow attempt"; flow:to_client,established; file_data; content:"|C2 AB CD AB|"; byte_test:4,<,500,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21034; reference:cve,2006-3445; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-068; classtype:attempted-user; sid:9433; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Agent buffer overflow attempt"; flow:to_client,established; file_data; content:"|C4 AB CD AB|"; byte_test:4,<,500,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21034; reference:cve,2006-3445; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-068; classtype:attempted-user; sid:9432; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:1; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9228; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:9; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9132; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:27; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,4,relative,dce; metadata:service netbios-ssn; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8925; rev:14;)
# alert udp any any -> any 53 (msg:"OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt"; flow:to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8710; rev:10;)
# alert tcp any any -> any 53 (msg:"OS-WINDOWS Microsoft Windows NAT helper components tcp denial of service attempt"; flow:to_server,established; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8709; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt"; flow:to_server,established; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; metadata:service netbios-ssn; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8253; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt"; flow:to_server,established; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; metadata:service netbios-ssn; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8157; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow"; flow:to_server,established; content:"Location|3A|"; fast_pattern:only; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:8083; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,established; content:"NOTIFY * "; fast_pattern:only; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:8082; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC createcab.cmd cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//createcab.cmd"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7424; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC mmc.exe cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//mmc.exe"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7423; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC mmcndmgr.dll cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//mmcndmgr.dll"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7422; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrPathCanonicalize overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-dgm; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7210; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7042; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7041; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7040; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7039; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7038; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7037; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7036; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7035; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6906; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6810; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; byte_test:4,>,34,68,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6714; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6456; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6455; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6444; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_jump:4,28,multiplier 2,post_offset 10,dce; byte_jump:4,0,relative,multiplier 2,post_offset 10,dce; byte_test:4,>,100,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6443; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5738; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5737; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5736; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5735; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5734; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5733; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5732; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5731; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5730; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5729; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5728; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5727; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5726; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5725; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5724; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5723; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5722; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5721; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5720; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5719; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; classtype:protocol-command-decode; sid:5718; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5717; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5716; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; byte_test:2,<,9,4,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-004; classtype:attempted-admin; sid:5713; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:to_server,established; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5485; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows picture and fax viewer wmf arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16074; reference:cve,2005-4560; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-001; classtype:web-application-attack; sid:5319; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:0; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5096; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:0; metadata:service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5095; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:7; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4826; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt"; dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:service dcerpc; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4755; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt"; flow:to_server,established; dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:service netbios-ssn; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4754; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:43; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,512,4,relative,dce; metadata:service netbios-ssn; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4608; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:70; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,96,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4413; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service dcerpc; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4246; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service dcerpc; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4245; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:53; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,32,16,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4072; rev:13;)
# alert tcp $HOME_NET any -> $HOME_NET 2702 (msg:"OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt"; flow:to_server,established; content:"RCH0"; fast_pattern:only; content:"RCHE"; nocase; byte_test:2,>,131,-8,relative,little; isdataat:131,relative; reference:bugtraq,10726; reference:cve,2004-0728; classtype:attempted-user; sid:3673; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMDeleteObject overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:9; dce_stub_data; content:"|01 00 00 00|"; depth:4; offset:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3591; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"OS-WINDOWS Microsoft Windows SSLv3 invalid data version attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:3486; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:ruleset community, service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3238; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:15; dce_stub_data; byte_test:2,>,1024,20,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player directory traversal via Content-Disposition attempt"; flow:to_client,established; content:".wmz"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A|"; nocase; http_header; content:"filename="; nocase; http_header; pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset community, service http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:3192; rev:19;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3158; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:ruleset community, service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3005; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3004; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3003; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3002; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3001; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3000; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|"; depth:256; offset:12; metadata:ruleset community, service netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2936; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH"; metadata:ruleset community, service http; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024; classtype:attempted-user; sid:2589; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2383; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2382; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2177; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2176; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:2101; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/iR"; metadata:ruleset community, service http; reference:bugtraq,1656; reference:cve,2000-0869; reference:cve,2003-0718; reference:nessus,10505; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-030; classtype:web-application-activity; sid:1079; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27139; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27136; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_server,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:service smtp; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:27231; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:27719; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:27718; rev:3;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt"; icode:0; itype:11; content:"|01 11|"; depth:2; offset:8; content:"|01 85|"; within:2; distance:10; detection_filter:track by_dst, count 500, seconds 1; reference:cve,2013-3868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-079; classtype:attempted-dos; sid:27860; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt"; flow:to_client,established; flowbits:isset,file.hhk; file_data; content:"|22|Local|22| value=|22|C|3A 5C|WINDOWS|5C|PCHealth|5C|malwarez6|5B|1|5D|.htm|22|"; fast_pattern:only; metadata:service http; reference:bugtraq,11467; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:28387; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt"; flow:to_client,established; flowbits:isset,file.hhk; file_data; content:"|22|Local|22| value=|22|C|3A 5C|exploit.htm|22|"; fast_pattern:only; metadata:service http; reference:bugtraq,11467; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:28386; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 8D 45 BC 50 68 80 00 00 00 8B 4D C8 51 68 00 04 00 00 8B 55 C8 52 68 C8 23 FF 8F 8B 45 D4 50 FF 15|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28872; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 89 E2 6A 00 52 68 80 00 00 00 50 68 00 04 00 00 50 68 C8 23 FF 8F 57 FF 56 08|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28871; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|5C 5C 5C 5C 2E 5C 5C|NDProxy"; fast_pattern:only; content:"DeviceIoControl"; content:"0x8fff23cc"; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28870; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 8D 45 BC 50 68 80 00 00 00 8B 4D C8 51 68 00 04 00 00 8B 55 C8 52 68 C8 23 FF 8F 8B 45 D4 50 FF 15|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28869; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 89 E2 6A 00 52 68 80 00 00 00 50 68 00 04 00 00 50 68 C8 23 FF 8F 57 FF 56 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28868; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|5C 5C 5C 5C 2E 5C 5C|NDProxy"; fast_pattern:only; content:"DeviceIoControl"; content:"0x8fff23cc"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28867; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows embedded OpenType font engine LZX decompression buffer overflow attempt"; flow:to_server,established; file_data; content:"|DE 0D 00 00 82 0C 00 00 02 00 02 00 E5|"; content:"|53 50 13 80 50 59 53 50 5B 7C D0 55 FD 06 58 94 D3 E3 98 7C|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,37671; reference:cve,2010-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-001; classtype:attempted-admin; sid:29014; rev:3;)
# alert tcp any [137,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lanman; content:"|FF|SMB|25 00 00 00 00|"; depth:9; offset:4; byte_test:1,&,0x80,0,relative; byte_jump:2,50,relative,multiplier 26,little,post_offset 2; isdataat:32,relative; pcre:"/[^\x00]{50}/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:29513; rev:4;)
# alert tcp $EXTERNAL_NET [443] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows secure channel malformed certificate request memory corruption attempt"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 01|"; depth:3; content:"|02|"; within:1; distance:2; byte_jump:3,0,relative; content:"|0B|"; within:1; byte_jump:3,0,relative; content:"|0D|"; within:1; byte_test:1,>,50,3,relative; byte_extract:1,4,preferred_cert,relative; byte_test:1,=,preferred_cert,0,relative; byte_test:1,=,preferred_cert,1,relative; metadata:service ssl; reference:bugtraq,42246; reference:cve,2010-2566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-049; classtype:attempted-dos; sid:29823; rev:3;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt"; flow:to_client,established; content:"|00 00 3A 48 FE|SMB@|00|"; depth:10; isdataat:130,relative; content:"|04 01 82 37 02 02 0A A2 81 F1 04 81 EE 4E 54 4C 4D 53 53 50 00 02 00 00 00 14 00 14|"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-0477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:29943; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_server,established; content:".aspx?"; http_uri; content:"|2F 2C 27|"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:30233; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_server,established; content:".aspx?"; http_uri; content:"|2F 2C 22|"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:30232; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt"; flow:to_server,established; content:"url="; fast_pattern:only; http_uri; pcre:"/[?&]url=[^&]*?javascript\x3a/Ui"; metadata:service http; reference:cve,2014-1823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-032; classtype:web-application-attack; sid:31217; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|s|00|f|00|e|00|r|00|r|00|o|00|r|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31416; rev:4;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|i|00|n|00|i|00|e|00|t|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31415; rev:4;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|m|00|e|00|r|00|r|00|o|00|r|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31414; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|asferrorDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31413; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|winietDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31412; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wmerrorDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31411; rev:4;)
alert tcp any any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt"; flow:to_server,established; content:"|A1 03 02 01 05 A2 03 02 01 0A|"; depth:10; offset:12; content:"|A7 06 02 04|"; distance:0; content:"|A8|"; within:1; distance:4; content:"|30|"; within:1; distance:1; content:"|02 01 00 02 01 00|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service kerberos; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/library/9111e6f0-fb7f-4340-b87a-ab941978efe1.aspx; classtype:attempted-user; sid:31874; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|89 1D 03 00 00 00 C6 05 11 00 00 00 04 C7 05 5B 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32146; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5A 77 41 6C 6C 6F 63 61 74 65 56 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00|"; fast_pattern:only; content:"|B8 FB FF FF FF|"; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32145; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|48 A3 0B 00 00 00 01 00 00 00 B0 04 A2 25 00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32144; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|89 1D 03 00 00 00 C6 05 11 00 00 00 04 C7 05 5B 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32143; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5A 77 41 6C 6C 6F 63 61 74 65 56 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00|"; fast_pattern:only; content:"|B8 FB FF FF FF|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32142; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|48 A3 0B 00 00 00 01 00 00 00 B0 04 A2 25 00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32141; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 09 CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-058; classtype:attempted-user; sid:32191; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|00 01 00 00 00 09 CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-058; classtype:attempted-user; sid:32190; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt"; flow:to_server,established; file_data; content:"|24 14 20 00 00 00 C7 44 24 10 00 00 00 00 C7 44 24 0C 20 00 00 00 8B 45 F0 89 44 24 08 C7 44 24 04 28 00 12 00 8B 45 F4 89 04 24 A1 1C 61 40 00 FF D0|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-070; classtype:attempted-admin; sid:32490; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt"; flow:to_client,established; file_data; content:"|24 14 20 00 00 00 C7 44 24 10 00 00 00 00 C7 44 24 0C 20 00 00 00 8B 45 F0 89 44 24 08 C7 44 24 04 28 00 12 00 8B 45 F4 89 04 24 A1 1C 61 40 00 FF D0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-070; classtype:attempted-admin; sid:32489; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt"; flow:to_server,established; file_data; content:"Installer|00|FakeAsm|00|IRemoteClass|00|GetExistingRemoteClass"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-072; classtype:attempted-user; sid:32475; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt"; flow:to_client,established; file_data; content:"Installer|00|FakeAsm|00|IRemoteClass|00|GetExistingRemoteClass"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-072; classtype:attempted-user; sid:32474; rev:1;)
alert udp $EXTERNAL_NET 4433 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|03|"; within:1; distance:10; byte_extract:3,8,fragment_len,relative; content:"|FE FF|"; within:2; byte_test:1,>,fragment_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32423; rev:2;)
alert udp $EXTERNAL_NET 4433 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|03|"; within:1; distance:10; content:"|FE FF|"; within:2; distance:11; byte_test:1,>,32,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32422; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 03|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32421; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 02|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32420; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 01|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32419; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 22|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x31,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32417; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 22|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,>,0x31,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32416; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x21,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32415; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,>,0x21,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32414; rev:5;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 18|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 60|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32413; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 17|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 40|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32412; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 16|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 40|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32411; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 23|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:2; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x42,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32410; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 23|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:2; byte_test:1,>,0x42,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32409; rev:3;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 13|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 30|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32408; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 12|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 30|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32407; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 11|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32406; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 10|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32405; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 0F|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32404; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows search protocol remote command injection attempt"; flow:to_client,established; content:"src="; nocase; content:"search-ms:"; within:12; nocase; pcre:"/src=(?P<q1>[\x22\x27])\s*?search-ms\x3a[^#]*?#[^(P=q1)]*?\x2f(root|select)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-075; classtype:attempted-user; sid:32615; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 38 04 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32732; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 38 04 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32731; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_server,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|cmd"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ecmd((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32871; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_server,established; file_data; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32870; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_server,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*[\x22\x27][a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32869; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows identity token authorization bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtApphelpCacheControl"; fast_pattern:only; content:"RtlInitUnicodeString"; content:"|00|S|00|y|00|s|00|t|00|e|00|m|00|"; metadata:service smtp; reference:cve,2015-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-001; classtype:attempted-admin; sid:32966; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows identity token authorization bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtApphelpCacheControl"; fast_pattern:only; content:"RtlInitUnicodeString"; content:"|00|S|00|y|00|s|00|t|00|e|00|m|00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-001; classtype:attempted-admin; sid:32965; rev:4;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 07|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:33017; rev:1;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 04|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:33016; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00 5C 00|?|00 5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|W|00|e|00|b|00|d|00|a|00|v|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|o|00|r|00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-008; classtype:attempted-user; sid:33049; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00 5C 00|?|00 5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|W|00|e|00|b|00|d|00|a|00|v|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|o|00|r|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-008; classtype:attempted-user; sid:33048; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS CryptProtectMemory Impersonation Check Bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 00 01 2E 40 00 23 4A 40 00 AB 63 40 00 F5 C1 40 00 83 74 40 00 00 00 00 00 00 00 00 00 66 F0 40 00 5A 11 41 00 1E 64 40|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0010; classtype:attempted-admin; sid:33156; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS CryptProtectMemory Impersonation Check Bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 00 01 2E 40 00 23 4A 40 00 AB 63 40 00 F5 C1 40 00 83 74 40 00 00 00 00 00 00 00 00 00 66 F0 40 00 5A 11 41 00 1E 64 40|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0010; classtype:attempted-admin; sid:33155; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 1F 00 11 3A FF FF 0F 00 46 00 6F 00 72 00 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:attempted-user; sid:33198; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_server,established; file_data; content:"|68 18 01 00 00 68 18 01 00 00 6A 00 8D 45 DC 50 FF 15 CC 43 43 00 3B F4 E8 91 10 FF FF 85 C0 75 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33364; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_client,established; file_data; content:"|68 18 01 00 00 68 18 01 00 00 6A 00 8D 45 DC 50 FF 15 CC 43 43 00 3B F4 E8 91 10 FF FF 85 C0 75 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33363; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys use-after-free attempt"; flow:to_client,established; file_data; content:"|2C 02 01 00 1C 02 01 00 0E 02 01 00 FE 01 01 00 EC 01 01 00 D8 01 01 00 C6 01 01 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0057; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33355; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt"; flow:to_server,established; file_data; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 78 9B 00 00 48 89 84 24 B0 00 00 00|"; fast_pattern; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 3B 9B 00 00 48 89 84 24 B8 00 00 00|"; within:64; metadata:service smtp; reference:cve,2015-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-user; sid:33344; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt"; flow:to_client,established; file_data; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 78 9B 00 00 48 89 84 24 B0 00 00 00|"; fast_pattern; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 3B 9B 00 00 48 89 84 24 B8 00 00 00|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-user; sid:33343; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt"; flow:to_server,established; file_data; content:"<svg "; nocase; content:"transform"; distance:0; nocase; pcre:"/<svg .{0,1000}transform\s*=\s*[\x22\x27][^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-081; classtype:attempted-user; sid:33479; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt"; flow:to_server,established; file_data; content:"NtSetValueKey|00 00 00|T|00|e|00|s|00|t|00|V|00|a|00|l|00|u|00|e"; fast_pattern:only; content:"MSDN S4U Logon Sample"; metadata:service smtp; reference:cve,2015-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-025; classtype:attempted-user; sid:33774; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt"; flow:to_client,established; file_data; content:"NtSetValueKey|00 00 00|T|00|e|00|s|00|t|00|V|00|a|00|l|00|u|00|e"; fast_pattern:only; content:"MSDN S4U Logon Sample"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-025; classtype:attempted-user; sid:33773; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt"; flow:to_server,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 83 9E 0A 38 D1 D1 66 4C 8B CD 6D 16 36 05 E5 A6 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; classtype:attempted-recon; sid:33770; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt"; flow:to_client,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 83 9E 0A 38 D1 D1 66 4C 8B CD 6D 16 36 05 E5 A6 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; classtype:attempted-recon; sid:33769; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt"; flow:to_server,established; file_data; content:"|34 40 00 30 10 40 00 E0 10 40 00 F0 10 40 00 60 10 40 00 C0 10 40 00 80 10 40 00 60 35 40 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-023; classtype:attempted-user; sid:33768; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt"; flow:to_client,established; file_data; content:"|34 40 00 30 10 40 00 E0 10 40 00 F0 10 40 00 60 10 40 00 C0 10 40 00 80 10 40 00 60 35 40 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-023; classtype:attempted-user; sid:33767; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"NtUserGetClipboardAccessToken_SecurityBypass"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0078; reference:cve,2015-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:33766; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"NtUserGetClipboardAccessToken_SecurityBypass"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0078; reference:cve,2015-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:33765; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt"; flow:to_server,established; file_data; content:"|A4 3C 53 73 F8 D6 F6 32 A5 85 CB 7E CE 7E A5 BB DA C2 47 37 A2 09 42 5C 64 25 EA 86 D6 D8 80 01 15 02 00 00 0A 30 30 30|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33729; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt"; flow:to_client,established; file_data; content:"|A4 3C 53 73 F8 D6 F6 32 A5 85 CB 7E CE 7E A5 BB DA C2 47 37 A2 09 42 5C 64 25 EA 86 D6 D8 80 01 15 02 00 00 0A 30 30 30|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33728; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt"; flow:to_client,established; file_data; content:"|34 53 FF FF 39 B0 80 00 00 00 74 31 81 3F 4D 4F 43 E0 74 29 81 3F 52 43 43 E0 74 21 FF 75 24 FF 75 20 53 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-028; classtype:attempted-admin; sid:33717; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.psfont; content:"|F9 D4 59 5C 86 22 CB C8 45 EE 2A 82 A0 97 9A CF 20 2B 32 1C E4 46 58 47 DB 81 68 53 D7 F8 10 2E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:33714; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.psfont; file_data; content:"|F9 D4 59 5C 86 22 CB C8 45 EE 2A 82 A0 97 9A CF 20 2B 32 1C E4 46 58 47 DB 81 68 53 D7 F8 10 2E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:33713; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Type one font out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|88 79 F2 E3 79 B5 B8 DD BC 08 51 17 FC 29 1A 6C 1C CE EB 34 8D 37 68 89 9B 3F 87 83 83 9E 80 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33712; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Type one font out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|88 79 F2 E3 79 B5 B8 DD BC 08 51 17 FC 29 1A 6C 1C CE EB 34 8D 37 68 89 9B 3F 87 83 83 9E 80 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33711; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_server,established; file_data; content:"getElementById"; nocase; content:"setTimeout"; fast_pattern; nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33829; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementById("; nocase; content:".src ="; distance:0; nocase; content:"+ Math.random()"; distance:0; nocase; content:"setTimeout"; fast_pattern; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33828; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById("; nocase; content:".src ="; distance:0; nocase; content:"+ Math.random()"; distance:0; nocase; content:"setTimeout"; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33827; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:34058; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:34057; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows NtCreateTransactionManager type confusion attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|5C 00 30 00 5C 00 44 00 6F 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 30 00 38 00 58|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-admin; sid:34096; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtCreateTransactionManager type confusion attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|5C 00 30 00 5C 00 44 00 6F 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 30 00 38 00 58|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-admin; sid:34095; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Defender misconfiguration MpCmdRun.exe system execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"MpCmdRun.exe -ListAllDynamicSignatures"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-037; classtype:attempted-admin; sid:34092; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Defender misconfiguration MpCmdRun.exe system execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MpCmdRun.exe -ListAllDynamicSignatures"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-037; classtype:attempted-admin; sid:34091; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt"; flow:to_server,established; file_data; content:"gSharedInfo|00|u|00|s|00|e|00|r|00|3|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; content:"|36 00 00 00 C7 05|"; content:"|2C 00 00 00 C7 05|"; within:6; distance:4; content:"|40 00 00 00 C7 05|"; within:6; distance:4; content:"|F8 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; sid:34179; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt"; flow:to_client,established; file_data; content:"gSharedInfo|00|u|00|s|00|e|00|r|00|3|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; content:"|36 00 00 00 C7 05|"; content:"|2C 00 00 00 C7 05|"; within:6; distance:4; content:"|40 00 00 00 C7 05|"; within:6; distance:4; content:"|F8 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:34178; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 B5 A8 67 C4 93 E3 C7 40 A9 C1 C9 77 FF 00 B5 B0 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1676; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34443; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 B5 A8 67 C4 93 E3 C7 40 A9 C1 C9 77 FF 00 B5 B0 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1676; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34442; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt"; flow:to_server,established; file_data; content:"|CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; content:"|B0 27 B0 15 B0 38 43 60 42 B0 01 68|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1671; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-044; classtype:attempted-user; sid:34441; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt"; flow:to_client,established; file_data; content:"|CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; content:"|B0 27 B0 15 B0 38 43 60 42 B0 01 68|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1671; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-044; classtype:attempted-user; sid:34440; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt"; flow:to_server,established; file_data; content:"<Binary"; content:"CONSOLE_FILE_ICON_SMALL"; within:100; isdataat:7000,relative; content:!"</Binary"; within:7000; metadata:service smtp; reference:cve,2015-1681; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-054; classtype:attempted-user; sid:34439; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt"; flow:to_client,established; file_data; content:"<Binary"; content:"CONSOLE_FILE_ICON_SMALL"; within:100; isdataat:7000,relative; content:!"</Binary"; within:7000; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1681; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-054; classtype:attempted-user; sid:34438; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt"; flow:to_server,established; file_data; content:"|3F 5F 7F 11 D5 0A 3A 05 20 01 01 12 11 05 20 01 12 19 0E 05 20 01 12 1D 08 05 20 01 01 12 21 03 20 00 02 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1672; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-dos; sid:34435; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt"; flow:to_client,established; file_data; content:"|3F 5F 7F 11 D5 0A 3A 05 20 01 01 12 11 05 20 01 12 19 0E 05 20 01 12 1D 08 05 20 01 01 12 21 03 20 00 02 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1672; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-dos; sid:34434; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_server,established; file_data; content:"|BA 40 00 39 00 48 8B 4C 24 60 FF 15 05 BE 00 00 48 8B 54 24 70 48 8D 0D B1 C0 00 00 E8 40 00 00 00 48 8B 4C 24 60|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:34427; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_client,established; file_data; content:"|BA 40 00 39 00 48 8B 4C 24 60 FF 15 05 BE 00 00 48 8B 54 24 70 48 8D 0D B1 C0 00 00 E8 40 00 00 00 48 8B 4C 24 60|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:34426; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|68 AC 32 40 00 8D 44 24 50 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 58 83 C4 10 E8 2F|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34414; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|68 AC 32 40 00 8D 44 24 50 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 58 83 C4 10 E8 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34413; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt"; flow:to_server,established; file_data; content:"|08 1A 02 E9 9E 48 80 43 BD D9 09 28 B3 91 21 AB 00 08 B7 7A 5C 56 19 34 E0 89 03 06 12 0D 04 20 01 01 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1673; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-user; sid:34402; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt"; flow:to_client,established; file_data; content:"|08 1A 02 E9 9E 48 80 43 BD D9 09 28 B3 91 21 AB 00 08 B7 7A 5C 56 19 34 E0 89 03 06 12 0D 04 20 01 01 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1673; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-user; sid:34401; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|50 68 AC 32 40 00 8D 44 24 48 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 50 83 C4 10 E8|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1678; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34378; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|50 68 AC 32 40 00 8D 44 24 48 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 50 83 C4 10 E8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1678; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34377; rev:2;)
alert tcp $HOME_NET any -> any [137,139] (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt"; flow:to_server,established; content:"LANMAN"; flowbits:set,file.lanman; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:29514; rev:6;)
alert tcp $HOME_NET any -> any [137,139] (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt"; flow:to_server,established; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|L|00|A|00|N|00|M|00|A|00|N"; flowbits:set,file.lanman; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:28425; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB malformed process ID high field denial of service attempt"; flow:to_server,established; content:"|02|SMB 2"; fast_pattern:only; content:"|FF|SMBr"; depth:5; offset:4; content:!"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-2532; reference:cve,2009-3103; reference:url,technet.microsoft.com/en-us/security/advisory/975497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-dos; sid:26643; rev:6;)
# alert tcp any [137,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lanman; content:"|FF|SMB|25 00 00 00 00|"; depth:9; offset:4; byte_test:1,&,0x80,0,relative; byte_jump:2,51,relative,multiplier 26,little,post_offset 2; isdataat:32,relative; pcre:"/[^\x00]{50}/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:24336; rev:12;)
# alert tcp any [138,139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_client,established; flowbits:isset,netsenum; content:"|EA 00|"; depth:3; offset:59; isdataat:22; content:!"|00|"; within:16; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:24007; rev:15;)
alert tcp $HOME_NET any -> any [138,139,445] (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_server,established; content:"|68 00|WrLehD"; pcre:"/^[oz]/Ri"; content:"|01 00|"; within:2; distance:9; flowbits:set,netsenum; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:23839; rev:18;)
# alert tcp $EXTERNAL_NET [138,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt"; flow:to_client,established; content:"|00|"; depth:1; content:"|FF|SMB%|00 00 00 00|"; within:9; distance:3; content:"|00 00|"; within:2; distance:47; byte_test:2,<,100,2,relative,little; content:"%"; within:1000; distance:2; pcre:"/^(\d+\x24)?(\d+)?[nxcsd]/iR"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1851; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:23838; rev:11;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt"; flow:to_client,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; isdataat:200; byte_test:1,&,0x80,0,relative; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:13; content:"|00|"; within:1; distance:28 ; pcre:"/([\x21-\x7F]\x00){1,50}[\x3C\x3E\x3A\x22\x7C\x3F\x2A]/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-048; classtype:attempted-user; sid:23314; rev:13;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt"; flow:to_client,established; content:"|00 00 FF FF FE|SMB@|00|"; depth:10; isdataat:130,relative; content:"|01 00|"; within:2; distance:6; content:"|A0 00 00 00|"; within:4; distance:6; content:"H|00 04 01|"; within:4; distance:44; content:"AAAAAAAA"; within:8; distance:56; metadata:policy max-detect-ips drop, policy security-ips alert, service netbios-ssn; reference:cve,2010-0477; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-020; classtype:attempted-admin; sid:23237; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt"; flow:to_server,established,no_stream; content:"|02 F0 80 7F 65|"; content:"|03 00|"; within:2; distance:-9; detection_filter:track by_src,count 10,seconds 3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; classtype:attempted-admin; sid:21570; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RDP RST denial of service attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:policy max-detect-ips drop; reference:cve,2012-0152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-001; classtype:attempted-dos; sid:21568; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 56 CD 6E D3 40 10 9E 34 14 A8 69 24 E0 C0 A1 27 2B 27 07 B5 56 D2 AA 07 22 15 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21508; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|10 00 11 10 BA 05 00 00 00 1A 00 00 78 9C ED 19 CB 6E 1C 45 B0 76 4D 88 ED 24 24 E1 4D 08 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21507; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 56 5B 6F 1B 45 14 1E BB 84 92 B4 A5 17 A0 2D E5 B6 DD 42 B9 54 DE F5 DA A8 17 CB|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21506; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 55 CD 6E D3 40 10 9E A4 14 A8 69 24 E0 C0 A1 27 2B 27 07 B5 56 12 94 03 91 8A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21505; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|10 00 11 10 B6 08 00 00 00 32 00 00 78 01 EC 5A 5D 6C 1C 57 15 3E B3 B6 13 27 4D 5D 3B 49 43 D2 40 3B 91 D3 90 D2 66 BB EB 9F FC 15 C2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21504; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_client,established; file_data; content:"style="; nocase; content:"|5C 2C 22|"; within:50; fast_pattern; content:"expression"; within:50; nocase; pcre:"/style\s*=\s*\x27?[^\x27]*?\x5C\x2C\x22[^\x27]+expression\s*\x28/"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:21405; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_client,established; file_data; content:"style="; nocase; content:"|5C 2C 27|"; within:50; fast_pattern; content:"expression"; within:50; nocase; pcre:"/style\s*=\s*\x22?[^\x22]*?\x5C\x2C\x27[^\x22]+expression\s*\x28/"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:20884; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS generic web server hashing collision attack"; flow:established,to_server; content:"Content-Type|3A|"; nocase; http_header; content:"multipart/form-data"; within:40; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:attempted-dos; sid:20824; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"|00 01 00 00 0E B7 AD 87 5F 0F 3C F5 00 03 03 E8 00 00 00 00 C9 D2 5F 76 00 00 00 00 C9 D2 5F 76 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-user; sid:20073; rev:14;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt"; flow:to_client,established; content:"|FF|SMB2"; depth:5; offset:4; fast_pattern; byte_test:3,>,40,1,big; isdataat:36,relative; byte_extract:2,28,total,relative,little; content:"|00 00|"; within:2; distance:2; byte_test:2,>,total,0,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:attempted-admin; sid:19972; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML core services cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"XMLHttpRequest"; pcre:"/setRequestHeader.*chunked/smiR"; content:"send"; distance:0; content:"0|5C|r|5C|n|5C|r|5C|n"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-recon; sid:19818; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|GroovePerfmon.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3146; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:19315; rev:13;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt"; flow:to_server,established; content:"G|00|r|00|o|00|o|00|v|00|e|00|P|00|e|00|r|00|f|00|m|00|o|00|n|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3146; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:19314; rev:12;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|01 00|"; within:2; distance:55; content:"|01 00|"; within:2; distance:2; pcre:"/^.{2}\x5c\x00[^\x5c]*\x00\x00/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:cve,2011-1869; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19221; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|F7 CE 07 0E A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46106; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:19196; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt"; flow:to_client,established; content:"|FF|SMB|2E 00 00 00 00|"; depth:9; offset:4; content:"|6C 74|"; within:6; distance:50; content:"|D7 CD C6 9A 00 00|"; within:6; distance:6; byte_test:4,<,60,-10,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-038; classtype:attempted-user; sid:19184; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vista feed headlines cross-site scripting attack attempt"; flow:to_client,established; file_data; content:"<rss"; content:"<channel"; distance:0; content:"expression|28|"; distance:0; pcre:"/<title>[^>]*?(&lt|<).*?expression\x28.*?<\/title>/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25287; reference:cve,2007-3033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-048; classtype:web-application-attack; sid:19174; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client, established; file_data; content:"BellGothicStd-Bla|00 01 02 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3957; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-091; classtype:attempted-user; sid:19119; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; content:"HTTP 99|0A|"; depth:8; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:18961; rev:15;)
# alert udp $HOME_NET any -> 224.0.0.0/4 5355 (msg:"OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt"; content:"|00 01 00 00 00 00|"; depth:6; offset:4; content:"|01 2E|"; within:2; distance:2; byte_test:2,!&,0xF8,2; metadata:policy max-detect-ips drop; reference:cve,2011-0657; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-030; classtype:attempted-admin; sid:18655; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 1F 00 11 3A FF FF 0F 00 46 00 6F 00 72 00 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:attempted-user; sid:18590; rev:12;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|s|00|o|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3146; reference:cve,2011-0108; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:18500; rev:19;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mso.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3146; reference:cve,2011-0108; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:18499; rev:17;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"e|00|h|00|t|00|r|00|a|00|c|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0032; reference:cve,2011-2009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-076; classtype:attempted-user; sid:18497; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ehtrace.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0032; reference:cve,2011-2009; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-076; classtype:attempted-user; sid:18496; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft product .dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:cve,2014-1756; reference:cve,2015-1758; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-023; classtype:attempted-user; sid:18495; rev:21;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft product .dll dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|01 00 00 00 40 00 00 00|"; content:"|0D 00 00 5C 00|.|00|d|00|l|00|l|00 00 00|"; within:15; distance:5; nocase; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:cve,2014-1756; reference:cve,2015-1758; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-023; classtype:attempted-user; sid:18494; rev:25;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MHTML XSS attempt"; flow:to_client,established; file_data; content:"mhtml|3A|"; pcre:"/(location\x2ereplace\x28|window\x2elocation\x2ehref\s*?=|iframe\s*?src\s*?=|a\s*?href\s*?=)\s*?[\x22\x27]mhtml\x3a(http|file)\x3a\x2f\x2f/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-026; classtype:attempted-user; sid:18335; rev:21;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Vector Markup Language fill method overflow attempt"; flow:to_client,established; file_data; content:"|3A 00|f|00|i|00|l|00|l|00|"; nocase; content:"m|00|e|00|t|00|h|00|o|00|d|00|"; distance:0; nocase; pcre:"/<\x00(\w\x00)+\x3a\x00f\x00i\x00l\x00l\x00\s\x00([^>]\x00|>[^\x00])*m\x00e\x00t\x00h\x00o\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x27\x00([^\x27]\x00|\x27[^\x00]){100}|\x22\x00([^\x22]\x00|\x22[^\x00]){100}|([^\s>]\x00|[\s>][^\x00]){100})/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-055; classtype:attempted-user; sid:18309; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt"; flow:to_client,established; file_data; content:"<svg "; nocase; content:"transform"; within:2000; nocase; pcre:"/<svg.{0,2000}?transform\s*=\s*[\x22\x27][^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-081; classtype:attempted-user; sid:18297; rev:16;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"f|00|v|00|e|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-001; classtype:attempted-user; sid:18278; rev:18;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|fveapi.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3145; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-001; classtype:attempted-user; sid:18277; rev:17;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|s|00|o|00|e|00|r|00|e|00|s|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; within:1500; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:18207; rev:16;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|a|00|b|00|3|00|2|00|r|00|e|00|s|00|.|00|d|00|l|00|l|00 00 00|"; within:1500; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-085; classtype:attempted-user; sid:18206; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|msoeres32.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:18205; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wab32res.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-085; classtype:attempted-user; sid:18204; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt"; flow:to_server, established; content:"signurl|2E|asp"; fast_pattern; nocase; http_uri; content:"SignUrl="; nocase; http_uri; pcre:"/SignUrl=[^\x26\s]*[\x22\x27\x28\x29\x3C\x3E]/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18076; rev:11;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.findfirst2; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:3,>,135,-12,relative,big; byte_test:1,&,128,0,relative; flowbits:unset,smb.trans2.findfirst2; content:"|00 00|"; within:2; distance:13; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:13; content:"|00|"; within:1; distance:2; content:"|FF FF FF FF|"; within:4; distance:72; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:attempted-admin; sid:17746; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|06|isatap"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:17731; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; nocase; content:"setTimeout"; fast_pattern; nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:17730; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft IIS malicious ASP file upload attempt"; flow:to_server,established; content:"<!--|23|include file=|22 61 61 61 61 61 61 61 61|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,18858; reference:cve,2006-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-034; classtype:attempted-user; sid:17724; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected"; flow:to_server,established; content:"|6E 81 00 42 3B 04 82 9D B8 97 A6 30 32 2D D5 28 B7 2C DF A3 7E 2B 16 8E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ns; reference:cve,2008-3009; reference:cve,2008-4037; reference:cve,2009-0550; reference:cve,2009-1930; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-user; sid:17723; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 08|"; depth:8; offset:12; byte_test:4,>,65535,0,relative,big; metadata:policy max-detect-ips drop, service netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:17721; rev:10;)
# alert udp any any -> $HOME_NET 69 (msg:"OS-WINDOWS TFTP PUT Microsoft RIS filename overwrite attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"setup.exe|00|"; distance:0; nocase; metadata:policy max-detect-ips drop; reference:cve,2006-5584; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-077; classtype:policy-violation; sid:17712; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ASF parsing memory corruption attempt"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; content:"|91 07 DC B7 B7 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; content:"|E0 7D 90 35 15 E4 CF 11 A9 17 00 80 5F 5C 44 2B|"; byte_test:2,>,0xffc6,52,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-068; classtype:attempted-user; sid:17711; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt"; flow:to_server,established; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:48; dce_stub_data; byte_test:4,>,65535,56,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:attempted-dos; sid:17702; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability"; flow:to_client,established; file_data; content:"|C5 00 00 00 04 00 00 80 8D 00 83 00 8D 00 84 00 AF 01 10 01 AF 01 0F 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15352; reference:cve,2005-2123; classtype:attempted-user; sid:17618; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt"; flow:to_client,established; file_data; content:"<|21|DOCTYPE "; nocase; content:"SYSTEM"; distance:0; nocase; content:".parseError"; fast_pattern:only; content:"loadXML"; pcre:"/<\x21DOCTYPE\s+[^>]*?SYSTEM[^>]*?>/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32155; reference:cve,2008-4029; reference:cve,2013-7331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-recon; sid:17572; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"OS-WINDOWS Microsoft Distributed Transaction Controller TIP DoS attempt"; flow:to_server,established; content:"PUSH|20|test|0A|"; depth:10; metadata:policy max-detect-ips drop; reference:bugtraq,15058; reference:cve,2005-1979; classtype:attempted-dos; sid:17439; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; content:"|5C 5C|"; offset:16; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:17438; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; content:"|5C 5C|"; offset:16; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:17437; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; content:"|5C 00 5C 00|"; offset:16; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:17436; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; content:"|5C 00 5C 00|"; offset:16; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:17435; rev:12;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt"; flow:to_client,established,no_stream; content:"HTTP/1.1 404 Not Found"; fast_pattern:only; detection_filter:track by_dst, count 100, seconds 5; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3332; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-070; classtype:misc-activity; sid:17429; rev:16;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt"; flow:to_client,established,no_stream; content:"HTTP/1.1 500 Internal Server Error"; fast_pattern:only; detection_filter:track by_dst, count 20, seconds 5; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3332; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-070; classtype:misc-activity; sid:17428; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Generic HyperLink buffer overflow attempt"; flow:to_server,established; content:"GET /"; fast_pattern:only; urilen:>1450; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13045; reference:bugtraq,14195; reference:bugtraq,36815; reference:bugtraq,37184; reference:cve,2002-0071; reference:cve,2004-0629; reference:cve,2004-0848; reference:cve,2005-0057; reference:cve,2005-0986; reference:cve,2007-0774; reference:cve,2007-6377; reference:cve,2009-0895; reference:cve,2011-1965; reference:cve,2013-5019; reference:cve,2014-3913; reference:cve,2016-6808; reference:cve,2017-17099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,www.exploit-db.com/exploits/42560/; classtype:attempted-user; sid:17410; rev:25;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectX Targa image file heap overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0A 00 00 00 00 00 00 00 00 00 00 80 00 80 20 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24963; reference:cve,2006-4183; classtype:attempted-user; sid:17408; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; file_data; content:"rXYZ"; byte_test:4,>,60,4,relative; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17347; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Malware Protection Engine file processing denial of service attempt"; flow:to_server,established; content:"|49 44 45 44 38 55 45 47 47 53 39 6F 4F 72 2F 79 6A 45 77 6D 47 4C 76 57 4A 6A 56 4B 6B 6F 6D 6E 78 6E 2F 63 44 45 63 31 50 35|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-1437; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-029; classtype:denial-of-service; sid:17306; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-WINDOWS Microsoft Windows NAT Helper DNS query denial of service attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,20804; reference:cve,2006-5614; classtype:attempted-dos; sid:17294; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; file_data; content:"url|28|data|3A|font|2F|ttf|3B|"; content:"base64|2C|AAEAAAAT"; within:15; content:"A2hMVFNI5UGsngAA"; within:16; distance:48; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:17256; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Print Spooler arbitrary file write attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:17; dce_stub_data; content:"|01 00 00 00|"; depth:4; offset:20; pcre:"/\x2E\x00(e\x00x\x00e|d\x00l\x00l\x00|m\x00o\x00f\x00|s\x00h\x00n\x00)/iR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-2729; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-061; classtype:attempted-user; sid:17252; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; content:"HTTP 1|0A|"; depth:7; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:17133; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft SilverLight ImageSource remote code execution attempt"; flow:to_client,established; flowbits:isset,imagesource.redefine; file_data; content:"ImageBrush"; content:"ImageSource"; distance:0; pcre:"/ImageBrush[^\x3e]+ImageSource\s*\x3d\s*(\x22|\x27)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-060; classtype:attempted-user; sid:17114; rev:15;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft SilverLight ImageSource redefine flowbit"; flow:to_client,established; file_data; content:"|2E|findName|28 22|"; content:"|2E|ImageSource"; distance:0; pcre:"/var\s*(?P<imagebrush>\w+?)\x3b.*?(?P=imagebrush)\s*\x3d\s*[^\x3b\x2e]+\x2efindName\x28.*?(?P=imagebrush)\x2eImageSource\s*\x3d\s*[\x22\x21][^\x2e\x22\x21]+?[\x22\x21]/smi"; flowbits:set,imagesource.redefine; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:17113; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; file_data; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*script/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40725; reference:cve,2003-0907; reference:cve,2010-1885; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-042; classtype:attempted-user; sid:16665; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"OS-WINDOWS Microsoft Windows Media Service stack overflow attempt"; flow:to_server, established; content:"|CE FA 0B B0|"; content:"MMS "; within:4; distance:4; pcre:"/.{20}[\x01\x02]\x00\x03\x00.*?\x5c\x00\x5c\x00/Rsm"; isdataat:128,relative; content:!"|00 00|"; within:128; metadata:policy max-detect-ips drop; reference:cve,2010-0478; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-025; classtype:attempted-admin; sid:16541; rev:14;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt"; flow:to_client,established; content:"|FE|SMB@|00|"; depth:7; offset:3; byte_extract:3,-9,dataLen,relative; content:"|01 00|"; within:2; distance:12; isdataat:!dataLen; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-0477; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-020; classtype:attempted-admin; sid:16540; rev:18;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol Response overflow attempt"; flow:to_client,established; content:"|FF|SMBr"; depth:5; offset:4; content:"|11|"; within:1; distance:27; byte_test:4,<,32,7,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; classtype:attempted-admin; sid:16417; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"#:"; within:50; content:"../../"; within:25; fast_pattern; pcre:"/\<a\s+?[^\>]*?href\s*?=\s*?[\x22\x27]?[^\>\x22\x27]*#:/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:16414; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|"; distance:2; nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16404; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|"; distance:2; nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16403; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB invalid server name share access"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"|5C 5C|"; distance:2; nocase; pcre:!"/^[^\x5C\x00]+\x5C/R"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16402; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB andx invalid server name share access"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 5C|"; distance:2; nocase; pcre:!"/^[^\x5C\x00]+\x5C/R"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16401; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|"; distance:2; nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16400; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|"; distance:2; nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16399; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB invalid server name share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"|5C 5C|"; distance:2; nocase; pcre:!"/^[^\x5C\x00]+\x5C/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16398; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB andx invalid server name share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 5C|"; distance:2; nocase; pcre:!"/^[^\x5C\x00]+\x5C/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16397; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt"; flow:to_server,established; seq:2; ack:1204835598; window:4; flags:A; reference:bugtraq,31545; reference:cve,2008-4609; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-048; classtype:attempted-dos; sid:16294; rev:14;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS server spoofing attempt"; content:"|03|www|07|example|03|com|00 00 01 00 01 C0 0C 00 01 00 01 00 00 0E 10 00 04|****"; fast_pattern:only; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,25919; reference:cve,2007-3898; reference:cve,2008-1447; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-037; classtype:misc-attack; sid:16206; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LIST|A0 84 01 00|movi00dc|E3 02 00 00 D0 D8|"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:16187; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; file_data; content:"SPP_P|1D CD|P|3B D5 AF AF AF AF 19|6|A5|U4cz{|B1 04 1D E7 EF|jiI|8A|T|D1|s|FD 0C F7|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:16089; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Server driver crafted SMB data denial of service"; flow:to_server,established; content:"|11 00 5C|MAILSLOT|5C|LANMANA"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:16066; rev:12;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS client TXT buffer overrun attempt"; flow:to_client,established; content:"|C0 0C 00 10 00 01 00 00 00|<*|AA 00 00 00 00|"; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,19404; reference:cve,2006-3441; classtype:attempted-admin; sid:16030; rev:9;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS client ATMA buffer overrun attempt"; flow:to_client; content:"|C0 0C 00 22 00 01 00 00 00|<|00 00 01|"; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,19404; reference:cve,2006-3441; classtype:attempted-admin; sid:16029; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft client for netware overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:9; dce_stub_data; content:"|5C 00 5C 00|"; pcre:"/^(B\x00B\x00B\x00|\x41\x41\x41\x41)/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4688; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:16016; rev:13;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not Modified"; fast_pattern:only; detection_filter:track by_dst, count 44, seconds 4; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0947; reference:cve,2007-6239; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] (msg:"OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt"; flow:to_server,established; content:"|04 00 0A 01 00 0A 01 03 02 01|d|02 01|<|01 01 00 A1 0B FF|bjectclass0|84 00 00 00 17 04 15|supportedCapabilities"; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,24796; reference:cve,2007-3028; classtype:attempted-dos; sid:15944; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt"; flow:to_server,established; dsize:>250; content:"|02|SMB 2"; fast_pattern:only; content:"|FF|SMBr|00 00 00|"; depth:8; offset:4; content:!"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-2532; reference:cve,2009-3103; reference:url,technet.microsoft.com/en-us/security/advisory/975497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-admin; sid:15930; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrGetJoinInformation attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:20; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1544; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-041; classtype:protocol-command-decode; sid:15860; rev:13;)
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"OS-WINDOWS Remote Desktop orderType remote code execution attempt"; flow:to_client,established; content:"|17 00|"; content:"|00 00|"; within:2; distance:14; byte_test:1,&,3,6,relative; byte_test:1,>,7,11,relative; metadata:policy max-detect-ips drop, service rdp; reference:bugtraq,35971; reference:cve,2009-1133; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15850; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt"; flow:to_server,established; content:"0"; depth:1; content:"|02|"; within:20; content:"c"; within:20; content:"=|23|04"; distance:0; metadata:policy max-detect-ips drop, service ldap; reference:cve,2009-1138; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-018; classtype:attempted-admin; sid:15527; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS udp WINS WPAD registration attempt"; flow:to_server; content:"|29|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00 01|"; within:8; distance:1; pcre:"/^.{2}\x29.\x00\x01\x00\x00\x00\x00\x00\x01\x20(F|H)H(F|H)A(E|G)B(E|G)ECACACA[^\x00]+\x00\x00\x20\x00\x01/s"; metadata:policy max-detect-ips drop, service netbios-ns; reference:cve,2009-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:misc-attack; sid:15387; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|04|wpad"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:15386; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15220; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15196; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows search protocol remote command injection attempt"; flow:to_client,established; file_data; content:"src="; nocase; content:"search-ms:"; within:12; nocase; pcre:"/src=(?P<q1>[\x22\x27])\s*?search-ms\x3a[^#]*?query=[^#]*?#[^(P=q1)]*?\x2f(root|select)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-075; classtype:attempted-user; sid:15116; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:8,9,10; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:15015; rev:17;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt"; flow:to_server,established; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14782; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP host-integration bind attempt"; flow:to_server,established; dce_iface:ed6ee250-e0d1-11cf-925a-00aa00c006c1; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-3466; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-059; classtype:protocol-command-decode; sid:14737; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt"; flow:to_server,established; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:1; dce_stub_data; isdataat:16; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-3479; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-065; classtype:attempted-admin; sid:14725; rev:17;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt"; flow:to_client,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:4; dce_stub_data; byte_jump:4,4,dce; byte_test:4,>,1024,1,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14710; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,564,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14649; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI VML gradient size heap overflow attempt"; flow:to_client,established; file_data; content:"v:fill"; nocase; content:"focussize"; nocase; pcre:"/focussize\s*\x3d\s*\x22[^\x2d\x2c\x22]*\x2d[^\x2d\x22]+\x2d/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-user; sid:14261; rev:17;)
# alert ip $EXTERNAL_NET any -> 224.0.0.0/4 any (msg:"OS-WINDOWS Microsoft Windows PGM denial of service attempt"; ip_proto:113; content:"|04 01|"; depth:2; offset:4; content:"|00 04 00 08|"; within:4; distance:18; pcre:"/^.{28}[\x06\x12-\xff]\x00/s"; metadata:policy max-detect-ips drop; reference:cve,2008-1440; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-036; classtype:attempted-dos; sid:13827; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt"; content:"0"; depth:1; content:"|02|"; within:1; distance:1; content:!"|00|"; within:1; distance:1; content:"|04|"; distance:2; byte_jump:1, 0, relative; content:"|A5|"; content:"|02 01 00 02 01 04 02 01 03|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service snmp; reference:cve,2006-5583; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-074; classtype:attempted-admin; sid:13619; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows vbscript/jscript scripting engine end buffer overflow attempt"; flow:to_client,established; content:"VBScript.Encode"; content:"^|23|~@"; distance:0; content:!"="; within:1; distance:-6; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-022; classtype:attempted-user; sid:13449; rev:13;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt"; itype:9; byte_test:1,>,150,0; metadata:policy max-detect-ips drop; reference:cve,2007-0066; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-001; classtype:attempted-admin; sid:13288; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:12; dce_stub_data; byte_test:4,>,142,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13211; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt"; flow:to_server,established; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:12; dce_stub_data; byte_test:4,>,142,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13210; rev:19;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:6; dce_stub_data; byte_test:4,=,1,0,dce; byte_test:4,>,142,4,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12978; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt"; flow:to_server,established; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:6; dce_stub_data; byte_test:4,=,1,0,dce; byte_test:4,>,142,4,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12977; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; file_data; content:"|22|.cmd"; nocase; pcre:"/(mailto|telnet|news|nntp|snews|http)\x3A[^\n]*\x25[^\n]*\x22\x2Ecmd/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:12688; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS RPC NTLMSSP malformed credentials attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-2228; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-058; classtype:denial-of-service; sid:12635; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML substringData integer overflow attempt"; flow:to_client,established; file_data; content:"substringData"; nocase; pcre:"/\w+\.substringData\([^\),]+,\s*(\d{4,}|25[7-9]|2[6-9][0-9]|[3-9][0-9]{2}|0x0*([1-9a-f][1-9a-f]{3,}|[2-9a-f][0-9a-f]{2}|1([0-9a-f][0-9a-f]|0[1-9a-f])))/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2223; reference:cve,2007-2224; reference:cve,2008-1442; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-031; classtype:attempted-user; sid:12279; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"OS-WINDOWS Microsoft Windows getbulk request attempt"; flow:to_server; content:"0"; depth:1; byte_test:1,!&,128,0,relative; content:"|02 01 01 04|"; within:4; distance:1; byte_test:1,!&,128,0,relative; byte_jump:1,0, relative; content:"|A5|"; within:1; metadata:policy max-detect-ips drop, service snmp; reference:cve,2006-5583; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-074; classtype:attempted-admin; sid:12198; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] (msg:"OS-WINDOWS Microsoft Windows Active Directory Crafted LDAP ModifyRequest"; flow:to_server,established; content:"0|84|"; depth:2; content:"|66 84|"; within:16; byte_test:4,>,0x0F0000,2; metadata:policy max-detect-ips drop; reference:cve,2007-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-039; classtype:attempted-admin; sid:12069; rev:13;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows schannel security package"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 00|"; content:"|0C|"; within:1; distance:2; byte_jump:2,3,relative,big; byte_jump:2,0,relative,big; content:"|00 00|"; within:2; metadata:policy max-detect-ips drop, service ssl; reference:cve,2007-2218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-031; classtype:attempted-user; sid:11947; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows API res buffer overflow attempt"; flow:to_client,established; content:"res|3A|//"; pcre:"/\x2Edll[\x2F\x5C][^\x3E\x00\s\x2F\x5C]*[\x2F\x5C]?(\x23|%23)\x2b?(\d{6}|[7-9]\d{4}|6[6-9]\d{3}|65[6-9]\d{2}|655[4-9]\d|6553[6-9])/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-035; classtype:attempted-user; sid:11838; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt"; flow:to_server,established; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,4,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:10900; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2869 (msg:"OS-WINDOWS Microsoft Windows UPnP notification type overflow attempt"; flow:to_server,established; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^(UN)?SUBSCRIBE\s/smi"; pcre:"/^(NT|CallBack|SID|TimeOut)\s*\x3a\s*[^\n]{512}/Rsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23371; reference:cve,2007-1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-019; classtype:attempted-admin; sid:10475; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; fast_pattern:only; content:"numcolors"; pcre:"/recolorinfo[^>]*numcolors\s*=\s*\x22/si"; byte_test:10,>,10000000,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9849; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:22; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; content:"|5C 00|"; distance:12; content:!"|00 00|"; within:256; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9027; rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8460; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8459; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8458; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8457; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8456; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode andx attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8455; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8454; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type andx attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8453; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8452; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8451; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8450; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; metadata:policy max-detect-ips drop; reference:cve,2006-4696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:attempted-dos; sid:8449; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vector Markup Language fill method overflow attempt"; flow:to_client,established; file_data; content:"|3A|fill"; nocase; content:"method"; within:300; nocase; isdataat:260,relative; content:!">"; within:260; pcre:"/\x3afill.*?method\s*=\s*[\x22\x27]\s*[^\x22\x27]{250}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-055; classtype:attempted-user; sid:8416; rev:20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt"; flow:to_server,established; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7209; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Explorer invalid url file overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; depth:100; nocase; content:"url="; distance:0; nocase; content:"file|3A|file|3A|file|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18838; reference:cve,2006-3351; classtype:denial-of-service; sid:7022; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10,12; dce_stub_data; byte_test:4,>,2532,4,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6584; rev:19;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid second uuid size attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,37,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6432; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_jump:4,28,multiplier 2,post_offset 10,dce; byte_jump:4,0,relative,multiplier 2,post_offset 22,dce; byte_jump:4,0,relative,multiplier 2,post_offset 10,dce; byte_test:4,>,100,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6431; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid uuid size attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_test:4,>,37,28,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6420; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid uuid size attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_test:4,>,37,28,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6419; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player Plugin for Non-IE browsers buffer overflow attempt"; flow:to_client,established; file_data; content:"<EMBED"; nocase; content:"src"; distance:0; nocase; pcre:"/<EMBED[^>]+?src\s*=\s*(\x22[^\x22]{1024}|\x27[^\x27]{1024}|[^\s]{1024})/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16644; reference:cve,2006-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-006; classtype:attempted-user; sid:5710; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList dos attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; byte_test:4,>,256,4,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4918; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:4644; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:4643; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4358; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4334; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:54; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3967; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt"; flow:to_server,established; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:9; dce_stub_data; content:"|01 00 00 00|"; depth:4; offset:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,214,8,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3590; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt"; flow:to_client,established; flowbits:isnotset,file.hta; file_data; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13132; reference:cve,2005-0063; reference:url,attack.mitre.org/techniques/T1170; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-016; classtype:attempted-user; sid:3552; rev:20;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3146; rev:18;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3145; rev:16;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3144; rev:17;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3143; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt"; flow:to_server,established; dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:0; dce_stub_data; byte_test:4,>,52,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3114; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * "; fast_pattern:only; content:"LOCATION|3A|"; nocase; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"PsLookupProcessByProcessId"; fast_pattern:only; content:"gSharedInfo"; nocase; content:"CreateProcess"; nocase; content:"SetWindowLong"; nocase; content:"KERNEL32.dll"; nocase; metadata:service smtp; reference:cve,2015-1701; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34499; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PsLookupProcessByProcessId"; fast_pattern:only; content:"gSharedInfo"; nocase; content:"CreateProcess"; nocase; content:"SetWindowLong"; nocase; content:"KERNEL32.dll"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1701; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34498; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability"; flow:to_server,established; file_data; content:"|C5 00 00 00 04 00 00 80 8D 00 83 00 8D 00 84 00 AF 01 10 01 AF 01 0F 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15352; reference:cve,2005-2123; classtype:attempted-user; sid:34565; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|65 67 69 61 6E 2D 4E 79 6E 6F 72 73 6B 00 00 00|"; nocase; content:"|52 53 44 53 BB 1A 64 9C 7E A0 15 4C B1 9C E3 E3 24 E5 C3 9D 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 73 65 63 75 72 69 74 79 5C 6D 73 72 63 31 30 35 35 37 5C 6D 73 72 63 31 30 35 35 37 5C 44 65 62 75 67 5C 6D 73 72 63 31 30 35 35 37 2E 70 64 62|"; within:82; distance:496; reference:cve,2011-1242; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-034; classtype:attempted-user; sid:18667; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|65 67 69 61 6E 2D 4E 79 6E 6F 72 73 6B 00 00 00|"; nocase; content:"|52 53 44 53 64 6E 64 CE 9F 7A 89 48 B7 51 3D 21 E3 99 7B 38 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 73 65 63 75 72 69 74 79 5C 6D 73 72 63 31 30 35 35 35 5C 6D 73 72 63 31 30 35 35 35 5C 44 65 62 75 67 5C 6D 73 72 63 31 30 35 35 35 2E 70 64 62|"; within:86; distance:504; reference:cve,2011-1241; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-034; classtype:attempted-user; sid:18666; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|6A 20 6A 20 6A 00 6A 00 6A 00 68 58 B0 40 00 68|"; content:"|FF 15 D8 CA 40 00 6A 00 68 30 F1 00 00 68 12 01 00 00 8B 15 D4 CA 40 00 52 FF 15 14 81 40 00 B8 01 00 00 00 8B E5 5D C3 CC CC CC CC CC CC CC CC 8B 54 24 0C 8B 4C 24 04 85 D2 74 69 33 C0 8A 44 24 08 84 C0 75 16 81 FA 80 00 00 00 72 0E 83 3D 24 DC 40 00 00 74 05 E9 AE 02 00 00 57 8B F9 83|"; within:96; distance:80; reference:cve,2011-1239; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-034; classtype:attempted-user; sid:18665; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|65 67 69 61 6E 2D 4E 79 6E 6F 72 73 6B 00 00 00|"; nocase; content:"|52 53 44 53 64 5A 82 37 7E 51 38 45 80 DF 1E 6C 30 7D 70 33 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 73 65 63 75 72 69 74 79 5C 6D 73 72 63 31 30 34 37 35 5C 6D 73 72 63 31 30 34 37 35 5C 44 65 62 75 67 5C 6D 73 72 63 31 30 34 37 35 2E 70 64 62|"; within:82; distance:496; reference:cve,2011-1238; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-034; classtype:attempted-user; sid:18664; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|65 67 69 61 6E 2D 4E 79 6E 6F 72 73 6B 00 00 00|"; nocase; content:"|52 53 44 53 2B 0D FE F3 54 07 DA 41 B1 1A F6 B3 44 87 E8 15 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 53 65 63 75 72 69 74 79 5C 6D 73 72 63 31 30 34 37 33 5C 6D 73 72 63 31 30 34 37 33 5C 44 65 62 75 67 5C 6D 73 72 63 31 30 34 37 33 2E 70 64 62|"; within:82; distance:500; reference:cve,2011-1237; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-034; classtype:attempted-user; sid:18663; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:to_client,established; file_data; content:"|52 53 44 53 7B 49 9E D5 8C CA 24 43 BF 3F AE DA 94 BA 10 E4 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 73 65 63 75 72 69|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-034; classtype:attempted-user; sid:18662; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:established,to_client; flowbits:isset,file.exe; content:"|65 67 69 61 6E 2D 4E 79 6E 6F 72 73 6B 00 00 00|"; content:"|00 00 00 00 00 00 00 00 52 53 44 53 8C 35 0B 8E BD 36 60 4F BC 0C AA 18 DD 34 2E B4 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 53 65 63 75 72 69 74 79 5C 6D 73 72 63 31 30 35 38 38 5C 6D 73 72 63 31 30 35 38 38 5C 44 65 62 75 67 5C 6D 73 72 63 31 30 35 38 38 2E 70 64 62 00 00 00 00 00 00|"; within:96; distance:496; reference:cve,2011-0662; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-034; classtype:attempted-user; sid:18661; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt"; flow:established,to_server; content:"|FE|SMB"; depth:4; offset:4; content:"|09 00|"; within:2; distance:8; byte_test:2,>,256,52,relative,little; dsize:>256; reference:cve,2011-0661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-020; classtype:attempted-admin; sid:18660; rev:5;)
# alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|5C 00 5C 00 2E 00 5C 00 70 00 69 00 70 00 65 00 5C 00 6D 00 79 00 6E 00 61 00 6D 00 65 00 64 00 70 00 69 00 70 00 65 00 00 00 00 00 52 75 6E 6E|"; fast_pattern:only; metadata:service http; reference:cve,2011-0037; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2011/2491888; classtype:attempted-admin; sid:18501; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt"; flow:to_server,established; content:"|6A|"; depth:1; offset:4; content:"|A2 03 02 01 0A|"; within:5; distance:12; content:"|A8 05 30 03 02 01 03|"; distance:0; metadata:service http; reference:cve,2011-0091; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-013; classtype:attempted-user; sid:18414; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|FF 15 7C 22 43 00 3B F4 E8 F4 EE FF FF 89 45 E0 8B 45 E0 50 E8 7B E8 FF FF 83 C4 04 8B 45 E0 C7 40 04 41 41 41 41 8B F4 6A 00 6A 00 68 E5 01 00 00 6A 00 A1 C0 F1 42 00 50 FF 55 F8 3B F4 E8 BE EE FF FF 8B F4 6A 00 6A 00 68 E3 01 00 00 6A 00 A1 C0 F1 42 00 50 FF 55 F8 3B F4 E8 A1 EE FF FF B8 01 00 00 00 52 8B CD 50 8D 15 0C 28 41 00 E8 F0 EA FF FF 58 5A 5F 5E 5B 81 C4 94 01 00 00 3B EC E8 7B EE FF FF 8B E5 5D C3 8B FF 03 00 00 00 14 28 41 00 90 FF FF FF 30 00 00 00 41 28 41 00 6C FF FF FF 1C 00 00 00 3E 28 41 00 3C FF FF FF|"; fast_pattern:only; metadata:service http; reference:cve,2011-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-012; classtype:attempted-admin; sid:18412; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|01 00 00 00 52 8B CD 50 8D 15 6C 26 41 00 E8 8C EC FF FF 58 5A 5F 5E 5B 81 C4 58 01 00 00 3B EC E8 12 F0 FF FF 8B E5 5D C3 8D 49 00 02 00 00 00 74 26 41 00 A8 FF FF FF 30 00 00 00 92 26 41 00 78 FF FF FF 28 00 00 00 8C 26 41 00 43 6C 61 73|"; fast_pattern:only; metadata:service http; reference:cve,2011-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-012; classtype:attempted-admin; sid:18411; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|55 08 52 FF 15 24 81 40 00 8B 85 F0 FE FF FF 8B 8D F4 FE FF FF 3B 08 75 27 8D 95 F8 FE FF FF 52 8B 45 08 50 68 00 B0 40 00 E8 B5 02 00 00 83 C4 0C 8B 8D F0 FE FF FF 8B 55 08 89 11 33 C0 EB 05 B8 01 00 00 00 8B 4D FC 33 CD E8 CB 03 00 00 8B|"; fast_pattern:only; metadata:service http; reference:cve,2011-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-012; classtype:attempted-admin; sid:18410; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|40 00 E8 AD 03 00 00 83 C4 04 8B 55 08 52 FF 15 34 91 40 00 89 45 C4 8D 45 C8 50 6A 01 6A 00 8D 4D CC 51 6A 00 6A 2B 8B 55 C4 52 FF 15 38 91 40 00 B8 01 00 00 00 85 C0 74 16 68 44 C0 40 00 68 00 01 00 00 6A 00 6A 00 FF 15 18 90 40 00 EB E1|"; fast_pattern:only; metadata:service http; reference:cve,2011-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-012; classtype:attempted-admin; sid:18409; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows LSASS domain name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|5C 56 4D 57 2D 58 50 53 50 32 45 4E 5C 63 24 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 70 6F 73 74 6F 5C 44 65 73 6B 74 6F 70 5C 50 6F 43 5C 53 65 74 75 70 52 65|"; content:"|74 78 74 44 6F 6D 61 69 6E 00 02 04 38 04 58 02 CF 12 1D 01 12 03 00 FF 03 22 00 00 00 08 06 00 4C 61 62 65 6C 34 00 01 01 02 00 5C 5C 00 05 78|"; within:48; distance:144; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-014; classtype:attempted-user; sid:18405; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt"; flow:established,to_client, established; content:"NtUnmapViewOfSection|00 00 00 00|ddd|00|In|20|Start"; fast_pattern:only; metadata:service http; reference:cve,2011-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-010; classtype:attempted-admin; sid:18400; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt"; flow:to_client, established; flowbits:isset,file.otf; content:"|00 04 00 18 00 00 00 02 00 02 00 01 00 00 FF FF 00 77 FF FF 00 00 00 69 00 77 FF FF|"; fast_pattern:only; metadata:service http; reference:cve,2010-3959; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18220; rev:9;)
# alert ip $HOME_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt"; ip_proto:113; byte_test:1,>,3,4; byte_test:1,<,8,4; byte_test:1,&,1,5; byte_test:1,&,1,28; content:"|02 00 00 00 09 61 61 61 61 61 61 61 61 61 61 61|"; reference:bugtraq,29509; reference:cve,2008-1441; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-036; classtype:attempted-dos; sid:17667; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB large session length with small packet "; flow:established, to_server; dsize:<128; content:"|00|"; depth:1; content:"|FF FF FF|SMB|72|"; depth:7; offset:2; reference:cve,2010-2551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-054; classtype:attempted-dos; sid:17126; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:3,>,20000,0,relative; content:"|FE|SMB"; within:4; distance:3; byte_test:4,>,0,16,relative,little; content:"|FE|SMB"; distance:0; byte_test:4,>,0,16,relative,little; content:"|FE|SMB"; distance:0; byte_test:4,>,0,16,relative,little; content:"|FE|SMB"; distance:0; byte_test:4,>,0,16,relative,little; content:"|FE|SMB"; distance:0; byte_test:4,>,0,16,relative,little; reference:cve,2010-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-054; classtype:attempted-dos; sid:16577; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt"; flow:to_server,established; content:"|FF|SMB|29|"; depth:5; offset:4; byte_jump:1,27,relative,multiplier 2; byte_test:2,>,2300,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-admin; sid:16395; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Runtime malformed ASF codec memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wma; file_data; content:"|40 9E 69 F8 4D 5B CF 11 A8 FD 00 80 5F 5C 44 2B|"; content:"|00 00 00 00|"; within:4; distance:42; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2525; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:16158; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:77; dce_stub_data; content:"M|00|o|00|d|00|u|00|l|00|e|00|"; nocase; content:".|00|d|00|l|00|l|00|"; distance:0; nocase; content:!"s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|"; within:66; distance:-70; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2009-0230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; classtype:protocol-command-decode; sid:15528; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Event System Subscription VBScript access"; flow:established,to_client; content:"EventSystem.EventSubscription"; fast_pattern:only; pcre:"/CreateOb ?ject\((?P<q>\x22|\x27|)EventSystem\x2eEventSubscription(?P=q)\)/smi"; metadata:service http; reference:cve,2008-1457; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-049; classtype:attempted-user; sid:13979; rev:13;)
# alert ip any any -> any any (msg:"OS-WINDOWS Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt"; ip_proto:2; content:"|11|"; depth:1; byte_test:2,>,254,10; metadata:policy max-detect-ips drop, service igmp; reference:cve,2007-0069; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-001; classtype:attempted-admin; sid:13287; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 9F 97 0C 10|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:34715; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 8C 9F 97 0C 10|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:34714; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_server,established; file_data; content:"|6A 00 6A 00 6A 00 8D 45 9C 50 FF 15 60 94 41 00 3B F4 E8 08 F0 FF FF 85 C0 0F 84 80 00 00 00 81 7D A0 18 01 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-010; classtype:attempted-user; sid:34793; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_client,established; file_data; content:"|6A 00 6A 00 6A 00 8D 45 9C 50 FF 15 60 94 41 00 3B F4 E8 08 F0 FF FF 85 C0 0F 84 80 00 00 00 81 7D A0 18 01 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-010; classtype:attempted-user; sid:34792; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 8 CreateWindowEx privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|B8 5D 11 00 00|"; content:"|CD 2E|"; within:20; content:"|B8 1E 12 00 00|"; content:"|CD 2E|"; within:20; content:"|68 F0 D8 FF FF 68 F0 D8 FF FF|"; content:"|68 80 00 00 00 51|"; metadata:service smtp; reference:cve,2015-2360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34789; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 8 CreateWindowEx privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|B8 5D 11 00 00|"; content:"|CD 2E|"; within:20; content:"|B8 1E 12 00 00|"; content:"|CD 2E|"; within:20; content:"|68 F0 D8 FF FF 68 F0 D8 FF FF|"; content:"|68 80 00 00 00 51|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34788; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows window placement invalid memory write attempt"; flow:to_server,established; file_data; content:"|C7 45 E4 1F 26 D0 5E C7 45 E8 00 00 00 00 C7 45 F0 B8 79 B2 FC C7 45 EC 17 00 00 00 C7 45 F4 81|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34785; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows window placement invalid memory write attempt"; flow:to_client,established; file_data; content:"|C7 45 E4 1F 26 D0 5E C7 45 E8 00 00 00 00 C7 45 F0 B8 79 B2 FC C7 45 EC 17 00 00 00 C7 45 F4 81|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34784; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows BrushAttributes use-after-free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15 34 F0 42 00 85 C0 74 1B 8B 45 E4 85 C0 74 07 50 FF 15 08 F1 42 00 39 75 EC 74 1D 6A 04 58|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1726; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34783; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows BrushAttributes use-after-free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15 34 F0 42 00 85 C0 74 1B 8B 45 E4 85 C0 74 07 50 FF 15 08 F1 42 00 39 75 EC 74 1D 6A 04 58|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1726; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34782; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserMessageCall information disclosure attempt"; flow:to_server,established; file_data; content:"|40 00 6A 00 6A 00 A3 E0 84 40 00 FF 15 00 50 40 00 8B 35 A4 50 40 00 6A 00 6A 00 8D 4C 24 10 6A|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1719; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-recon; sid:34777; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserMessageCall information disclosure attempt"; flow:to_client,established; file_data; content:"|40 00 6A 00 6A 00 A3 E0 84 40 00 FF 15 00 50 40 00 8B 35 A4 50 40 00 6A 00 6A 00 8D 4C 24 10 6A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1719; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-recon; sid:34776; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows multiple linked fonts memory corruption attempt"; flow:to_server,established; file_data; content:"|53 53 56 89 45 F8 FF 15 04 50 40 00 8B 4D F8 51 56 FF D7 6A 40 8D 85 14 FE FF FF 50 8B 45 B8 50|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1768; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34775; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows multiple linked fonts memory corruption attempt"; flow:to_client,established; file_data; content:"|53 53 56 89 45 F8 FF 15 04 50 40 00 8B 4D F8 51 56 FF D7 6A 40 8D 85 14 FE FF FF 50 8B 45 B8 50|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1768; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34774; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows bitmap menu item use after free attempt"; flow:to_server,established; file_data; content:"|FF FF 8B B5 20 E5 FF FF 33 FF E9 47 FD FF FF 57 E8 79 BD FF FF 59 EB 3C 8B 95 30 E5 FF FF 8B 85|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1722; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34771; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows bitmap menu item use after free attempt"; flow:to_client,established; file_data; content:"|FF FF 8B B5 20 E5 FF FF 33 FF E9 47 FD FF FF 57 E8 79 BD FF FF 59 EB 3C 8B 95 30 E5 FF FF 8B 85|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1722; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34770; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15 20 01 41 00 C7 45 E8 00 00 00 00 68 54 02 41 00 68 70 02 41 00 FF 15 10 00 41 00 50 FF 15|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1721; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34762; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15 20 01 41 00 C7 45 E8 00 00 00 00 68 54 02 41 00 68 70 02 41 00 FF 15 10 00 41 00 50 FF 15|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1721; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:34761; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Media Player DataObject buffer overflow attempt"; flow:to_server,established; file_data; content:"wmplayer.exe"; nocase; content:"/DataObject|3A|"; within:100; nocase; isdataat:1024,relative; content:!"|20|"; within:1024; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1728; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-057; classtype:attempted-user; sid:34732; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player DataObject buffer overflow attempt"; flow:to_client,established; file_data; content:"wmplayer.exe"; nocase; content:"/DataObject|3A|"; within:100; nocase; isdataat:1024,relative; content:!"|20|"; within:1024; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1728; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-057; classtype:attempted-user; sid:34731; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HSC DVD driver upgrade code execution attempt"; flow:to_client,established; file_data; content:"hcp|3A|//system/DVDUpgrd/dvdupgrd.htm"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10321; reference:cve,2004-0199; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-015; classtype:attempted-user; sid:34933; rev:1;)
# alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt"; flow:to_client,established; file_data; content:"|BD 1C FE FF FF 57 FF 55 A8 8B 7D 08 81 C7 41 05 00 00 57 FF 55 A8 8D BD 1C FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2387; reference:url,www.virustotal.com/en/file/0d4feae9bfccc973e64453d5795c594341d31832b4732e29b7e9d0b9729c62a6/analysis/; classtype:attempted-admin; sid:35108; rev:2;)
# alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt"; flow:to_client,established; file_data; content:"|8B 0D 3C 50 4C 00 85 C9 74 06 F3 C3 8D 74 26 00 C7 05 3C 50 4C 00 01 00 00 00 EB 94|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2387; reference:url,www.virustotal.com/en/file/0d4feae9bfccc973e64453d5795c594341d31832b4732e29b7e9d0b9729c62a6/analysis/; classtype:attempted-admin; sid:35107; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt"; flow:to_server,established; file_data; content:"|BD 1C FE FF FF 57 FF 55 A8 8B 7D 08 81 C7 41 05 00 00 57 FF 55 A8 8D BD 1C FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2387; reference:url,www.virustotal.com/en/file/0d4feae9bfccc973e64453d5795c594341d31832b4732e29b7e9d0b9729c62a6/analysis/; classtype:attempted-admin; sid:35106; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt"; flow:to_server,established; file_data; content:"|8B 0D 3C 50 4C 00 85 C9 74 06 F3 C3 8D 74 26 00 C7 05 3C 50 4C 00 01 00 00 00 EB 94|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2387; reference:url,www.virustotal.com/en/file/0d4feae9bfccc973e64453d5795c594341d31832b4732e29b7e9d0b9729c62a6/analysis/; classtype:attempted-admin; sid:35105; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS DCOM DCE/RPC NTLM reflection elevation of privilege attempt"; flow:to_server,established; file_data; content:"|72 19 03 00 70 02 03 28 57 00 00 0A 0A 72 4B 03 00 70 06 73 58 00 00 0A 0B 07 16 6F 59|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2370; reference:url,code.google.com/p/google-security-research/issues/detail?id=325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-076; classtype:attempted-admin; sid:35175; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS DCOM DCE/RPC NTLM reflection elevation of privilege attempt"; flow:to_client,established; file_data; content:"|72 19 03 00 70 02 03 28 57 00 00 0A 0A 72 4B 03 00 70 06 73 58 00 00 0A 0B 07 16 6F 59|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2370; reference:url,code.google.com/p/google-security-research/issues/detail?id=325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-076; classtype:attempted-admin; sid:35174; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RDP server PDU length heap overflow attempt"; flow:to_server,established; content:"|FF FF FF 80 7F 65 82|"; depth:10; content:"rdpdr"; content:"cliprdr"; content:"rdpsnd"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2015-2373; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-067; classtype:attempted-admin; sid:35151; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows desktop reference use after free attempt"; flow:to_server,established; file_data; content:"|55 8B EC FF 75 0C FF 75 08 6A 00 B8 52 12 00 00 BA 00 03 FE 7F FF 12 83 C4 0C 5D C2 08 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2366; reference:cve,2015-6171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-135; classtype:attempted-admin; sid:35150; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows desktop reference use after free attempt"; flow:to_client,established; file_data; content:"|55 8B EC FF 75 0C FF 75 08 6A 00 B8 52 12 00 00 BA 00 03 FE 7F FF 12 83 C4 0C 5D C2 08 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2366; reference:cve,2015-6171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-135; classtype:attempted-admin; sid:35149; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DeferWindowPos access after release code injection attempt"; flow:to_server,established; file_data; content:"|FF 15 18 D1 40 00 83 7D 0C 02 75 0E 6A 00 FF 15 3C D1 40 00 33 C0 EB 18 EB 16 8B 4D 14 51 8B 55|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2365; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-073; classtype:attempted-user; sid:35136; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DeferWindowPos access after release code injection attempt"; flow:to_client,established; file_data; content:"|FF 15 18 D1 40 00 83 7D 0C 02 75 0E 6A 00 FF 15 3C D1 40 00 33 C0 EB 18 EB 16 8B 4D 14 51 8B 55|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2365; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-073; classtype:attempted-user; sid:35135; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserDisableProcessWindowFiltering information disclosure attempt"; flow:to_server,established; content:"GetProcAddress(GetModuleHandle('ntdll.dll'), 'NtYieldExecution')"; fast_pattern:only; content:"NtUserDisableProcessWindowFiltering ="; nocase; metadata:service smtp; reference:cve,2015-2367; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-073; classtype:attempted-recon; sid:35132; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserDisableProcessWindowFiltering information disclosure attempt"; flow:to_client,established; content:"GetProcAddress(GetModuleHandle('ntdll.dll'), 'NtYieldExecution')"; fast_pattern:only; content:"NtUserDisableProcessWindowFiltering ="; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2367; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-073; classtype:attempted-recon; sid:35131; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt"; flow:to_server; content:"enc-authorization-data"; nocase; content:"AD-WIN2K-PAC"; within:250; nocase; content:"ad-data="; within:50; nocase; content:"|07 00 00 00|"; within:250; metadata:policy security-ips alert; reference:bugtraq,70958; reference:cve,2014-6324; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-068; classtype:attempted-admin; sid:35118; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows clipboard null pointer dereference attempt"; flow:to_server,established; file_data; content:"|8B 4D F4 51 FF 15 A4 F1 42 00 FF 15 94 F1 42 00 89 45 FC 8B 55 FC 52 68 D4 3C 42 00 E8 34 01 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,75009; reference:cve,2015-1723; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:35113; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows clipboard null pointer dereference attempt"; flow:to_client,established; file_data; content:"|8B 4D F4 51 FF 15 A4 F1 42 00 FF 15 94 F1 42 00 89 45 FC 8B 55 FC 52 68 D4 3C 42 00 E8 34 01 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75009; reference:cve,2015-1723; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-061; classtype:attempted-admin; sid:35112; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"head"; depth:500; content:!"|00 00 00 36|"; within:4; distance:8; byte_jump:4,4,relative,from_beginning; content:"|5F 0F 3C F5|"; within:4; distance:12; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2455; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35526; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"head"; depth:500; content:!"|00 00 00 36|"; within:4; distance:8; byte_jump:4,4,relative,from_beginning; content:"|5F 0F 3C F5|"; within:4; distance:12; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2455; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35525; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|6D B0 B2 2B B0 09 43 B0 0A 43 61 63 FF FF FF FF B0 00 2B 85 00 67 B4 00 00 00 00 00 44 3E 23 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2464; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-admin; sid:35524; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|6D B0 B2 2B B0 09 43 B0 0A 43 61 63 FF FF FF FF B0 00 2B 85 00 67 B4 00 00 00 00 00 44 3E 23 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2464; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-admin; sid:35523; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt"; flow:to_server,established; file_data; content:"|BC 00 00 05 00 08 02 8A 02 BC 00 00 00 8C 02 8A 02 BC 00 00 01 E0 00 31 01 02 00 00 02 00 08 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2460; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35516; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt"; flow:to_client,established; file_data; content:"|BC 00 00 05 00 08 02 8A 02 BC 00 00 00 8C 02 8A 02 BC 00 00 01 E0 00 31 01 02 00 00 02 00 08 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2460; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35515; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt"; flow:to_server,established; file_data; content:"|41 B8 44 00 00 00 4C 8B D1 B8 76 10 00 00 0F 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2433; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:policy-violation; sid:35514; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt"; flow:to_client,established; file_data; content:"|41 B8 44 00 00 00 4C 8B D1 B8 76 10 00 00 0F 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2433; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:policy-violation; sid:35513; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt"; flow:to_server,established; file_data; content:"WScript.shell"; fast_pattern:only; content:"notepad.exe"; content:"/pt"; within:10; metadata:service smtp; reference:cve,2015-2423; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-recon; sid:35488; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt"; flow:to_client,established; file_data; content:"WScript.shell"; fast_pattern:only; content:"notepad.exe"; content:"/pt"; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2423; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-recon; sid:35487; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV invalid character argument injection attempt"; flow:to_client,established; flowbits:isset,ms.webdav.propfind; file_data; content:"<D:href"; fast_pattern; nocase; content:"|3A 5C|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54307; reference:cve,2012-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-048; classtype:attempted-user; sid:35731; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|BE C2 0F BE 80 C0 81 40 00 83 E0 0F EB 02 33 C0 0F BE 84 C1 E0 81 40 00 6A 07 C1 F8 04 59 89 85|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2507; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:36017; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|BE C2 0F BE 80 C0 81 40 00 83 E0 0F EB 02 33 C0 0F BE 84 C1 E0 81 40 00 6A 07 C1 F8 04 59 89 85|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2507; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:36016; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt"; flow:to_server,established; file_data; content:"|00 00 01 0B 07 16 20 FF FF FF 1F 8D 13 00 00 01 A2 07 0A 72 01 00 00 70 06 28 11 00 00 0A 26 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2504; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-101; classtype:attempted-user; sid:36015; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt"; flow:to_client,established; file_data; content:"|00 00 01 0B 07 16 20 FF FF FF 1F 8D 13 00 00 01 A2 07 0A 72 01 00 00 70 06 28 11 00 00 0A 26 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2504; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-101; classtype:attempted-user; sid:36014; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|C3 CC CC CC CC 68 30 5C 41 00 E8 EC 45 00 00 59 C3 CC CC CC CC 68 20 5C 41 00 E8 DC 45 00 00 59 C3|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-102; classtype:attempted-admin; sid:36013; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|C3 CC CC CC CC 68 30 5C 41 00 E8 EC 45 00 00 59 C3 CC CC CC CC 68 20 5C 41 00 E8 DC 45 00 00 59 C3|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-102; classtype:attempted-admin; sid:36012; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows task scheduler race condition attempt"; flow:to_server,established; file_data; content:"|6E 67 73 2E 44 65 6C 65 74 65 45 78 70 69 72 65 64 54 61 73 6B 41 66 74 65 72 20 3D 20 22 50 54 30 53 22|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2525; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-102; classtype:attempted-admin; sid:36011; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows task scheduler race condition attempt"; flow:to_client,established; file_data; content:"|6E 67 73 2E 44 65 6C 65 74 65 45 78 70 69 72 65 64 54 61 73 6B 41 66 74 65 72 20 3D 20 22 50 54 30 53 22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2525; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-102; classtype:attempted-admin; sid:36010; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt"; flow:to_server,established; file_data; content:"|89 45 FC FF 15 00 81 40 00 89 45 EC 8B 45 EC 50 68 48 81 40 00 E8 60 00 00 00 83 C4 08 C7 45 D8|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:35995; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt"; flow:to_client,established; file_data; content:"|89 45 FC FF 15 00 81 40 00 89 45 EC 8B 45 EC 50 68 48 81 40 00 E8 60 00 00 00 83 C4 08 C7 45 D8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:35994; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt"; flow:to_server,established; file_data; content:"|55 8B EC 51 6A 01 6A 02 FF 15 94 F1 42 00 89 45 FC 8B 45 FC 50 8B 4D FC C1 E9 20 51 68 88 3C 42|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-recon; sid:35987; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt"; flow:to_client,established; file_data; content:"|55 8B EC 51 6A 01 6A 02 FF 15 94 F1 42 00 89 45 FC 8B 45 FC 50 8B 4D FC C1 E9 20 51 68 88 3C 42|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-recon; sid:35986; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI+ denial of service attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B6 7F ED D5 85 A3 6C 3D 41 4B A5 70 62 4C D7 8B B3 06 06 2F 9B 70 CF 6F EE 93 3D 2B 22 0F FB 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-user; sid:35985; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ denial of service attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B6 7F ED D5 85 A3 6C 3D 41 4B A5 70 62 4C D7 8B B3 06 06 2F 9B 70 CF 6F EE 93 3D 2B 22 0F FB 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-user; sid:35984; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt"; flow:to_server,established; file_data; content:"|4C 41 00 56 E8 99 58 00 00 83 C4 0C EB 57 6A F4 FF 15 C4 30 41 00 8B F0 85 F6 74 49 83 FE FF 74|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-102; classtype:policy-violation; sid:35978; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt"; flow:to_client,established; file_data; content:"|4C 41 00 56 E8 99 58 00 00 83 C4 0C EB 57 6A F4 FF 15 C4 30 41 00 8B F0 85 F6 74 49 83 FE FF 74|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-102; classtype:policy-violation; sid:35977; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 E8 D7 09 00 00 83 C4 14 E8 26 34 00 00 84 C0 75 06 56 E8 45 35 00 00 84 DB 75 05 E8 DF 34|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2518; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35974; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 E8 D7 09 00 00 83 C4 14 E8 26 34 00 00 84 C0 75 06 56 E8 45 35 00 00 84 DB 75 05 E8 DF 34|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2518; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35973; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; fast_pattern; content:"head"; byte_jump:4,4,relative,from_beginning; content:"|00 01|"; within:2; byte_test:2,>,16384,16,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-admin; sid:35720; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; fast_pattern; content:"head"; byte_jump:4,4,relative,from_beginning; content:"|00 01|"; within:2; byte_test:2,>,16384,16,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-admin; sid:35719; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt"; flow:to_server,established; file_data; content:"|6A 00 6A 00 68 00 00 CF 00 68 6C 71 00 10 A1 1C A0 00 10 50 68 80 00 00 00 FF 15 24 71 00 10 A3|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2546; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:36029; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt"; flow:to_client,established; file_data; content:"|6A 00 6A 00 68 00 00 CF 00 68 6C 71 00 10 A1 1C A0 00 10 50 68 80 00 00 00 FF 15 24 71 00 10 A3|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2546; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:36028; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_client,established; file_data; content:"use: |22|%s|22| -autoexecute"; fast_pattern:only; content:"thread creado"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,60051; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:36384; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_server,established; file_data; content:"use: |22|%s|22| -autoexecute"; fast_pattern:only; content:"thread creado"; nocase; metadata:service smtp; reference:bugtraq,60051; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:36383; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_server,established; file_data; content:"|48 C7 84 24 90 00 00 00 07 00 00 00 48 89 AC 24 88 00 00 00 66 89 6C 24 78 44 8D 40 04 48 8D 15 53 22 00 00 48|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36446; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_client,established; file_data; content:"|48 C7 84 24 90 00 00 00 07 00 00 00 48 89 AC 24 88 00 00 00 66 89 6C 24 78 44 8D 40 04 48 8D 15 53 22 00 00 48|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36445; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt"; flow:to_server,established; file_data; content:"|68 B4 8C 49 00 8B FC 68 E8 8C 49 00 FF 15 38 40 4B 00 3B FC E8 EC DA FF FF 50 FF 15 3C 40 4B 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2549; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36416; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt"; flow:to_client,established; file_data; content:"|68 B4 8C 49 00 8B FC 68 E8 8C 49 00 FF 15 38 40 4B 00 3B FC E8 EC DA FF FF 50 FF 15 3C 40 4B 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2549; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36415; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS RDP client dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"a|00|p|00|i|00|-|00|m|00|s|00|-|00|w|00|i|00|n|00|-|00|s|00|h|00|c|00|o|00|r|00|e|00|-|00|s|00|c|00|a|00|l|00|i|00|n|00|g|00|-|00|l|00|1|00|-|00|1|00|-|00|0|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x4B\x00|\x00\x5C)\x00a\x00p\x00i\x00-\x00m\x00s\x00-\x00w\x00i\x00n\x00-\x00s\x00h\x00c\x00o\x00r\x00e\x00-\x00s\x00c\x00a\x00l\x00i\x00n\x00g\x00-\x00l\x001\x00-\x001\x00-\x000\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2015-6051; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36410; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS RDP client dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"W|00|d|00|f|00|C|00|o|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|r|00|0|00|1|00|0|00|0|00|9|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x31\x00|\x00\x5C)\x00W\x00d\x00f\x00C\x00o\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00r\x000\x001\x000\x000\x009\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2015-6051; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36409; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS RDP client dll-load exploit attempt"; flow:to_server,established; content:"/api-ms-win-shcore-scaling-l1-1-0.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-6051; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36408; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS RDP client dll-load exploit attempt"; flow:to_server,established; content:"/WdfCoInstaller01009.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-6051; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36407; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows sandbox policy bypass attempt"; flow:to_server,established; file_data; content:"|1C 85 DB 75 12 68 00 20 01 00 68 88 65 01 10 68 F8 70 01 10 50 FF D6 53 FF 15 04 10 01 10 83 BC|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-user; sid:36406; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows sandbox policy bypass attempt"; flow:to_client,established; file_data; content:"|1C 85 DB 75 12 68 00 20 01 00 68 88 65 01 10 68 F8 70 01 10 50 FF D6 53 FF 15 04 10 01 10 83 BC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-user; sid:36405; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt"; flow:to_server,established; file_data; content:"|55 8B EC F6 45 08 01 56 8B F1 C7 06 14 1F 41 00 74 09 56 E8 C4 10 00 00 83 C4 04 8B C6 5E 5D C2|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36404; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt"; flow:to_client,established; file_data; content:"|55 8B EC F6 45 08 01 56 8B F1 C7 06 14 1F 41 00 74 09 56 E8 C4 10 00 00 83 C4 04 8B C6 5E 5D C2|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-111; classtype:attempted-admin; sid:36403; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt"; flow:to_server,established; content:"|6C 82|"; depth:2; offset:4; content:"|A1 03 02 01 05 A2 03 02 01 0C A3 82|"; distance:0; byte_jump:2,0,relative; content:"|A4 82|"; within:2; content:"|A3|"; distance:0; content:"|30|"; within:1; distance:1; content:"|A0 03 02 01 01 A1|"; within:6; distance:1; content:"|30|"; within:1; distance:1; content:"|1B 06|krbtgt"; within:8; distance:1; metadata:policy security-ips alert; reference:bugtraq,70958; reference:cve,2014-6324; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-068; classtype:attempted-admin; sid:36596; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_server,established; file_data; content:"|51 6A 04 8D 95 7C FF FF FF 52 68 48 00 39 00 8B 45 94 50 FF 15 08 90 41 00 3B F4 E8 07 FC FF FF 89 85 64 FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:36563; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_client,established; file_data; content:"|51 6A 04 8D 95 7C FF FF FF 52 68 48 00 39 00 8B 45 94 50 FF 15 08 90 41 00 3B F4 E8 07 FC FF FF 89 85 64 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:36562; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt"; flow:to_server,established; file_data; content:"|72 DF 00 00 70 73 18 00 00 0A 0B 07 6F 19 00 00 0A 17 FE 01 16 FE 01 0D 09 2D 40 00 07 1B 8D 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6113; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-115; classtype:policy-violation; sid:36762; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt"; flow:to_client,established; file_data; content:"|72 DF 00 00 70 73 18 00 00 0A 0B 07 6F 19 00 00 0A 17 FE 01 16 FE 01 0D 09 2D 40 00 07 1B 8D 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6113; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-115; classtype:policy-violation; sid:36761; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt"; flow:to_server,established; file_data; content:"|68 38 D1 40 00 68 50 D1 40 00 FF 15 00 D0 40 00 50 FF 15 04 D0 40 00 89 85 CC FB FF FF C7 85 C8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-117; classtype:attempted-admin; sid:36745; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt"; flow:to_client,established; file_data; content:"|68 38 D1 40 00 68 50 D1 40 00 FF 15 00 D0 40 00 50 FF 15 04 D0 40 00 89 85 CC FB FF FF C7 85 C8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-117; classtype:attempted-admin; sid:36744; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k information disclosure attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|48 89 74 24 30 48 89 7C 24 38 E8 D7 00 00 00|"; fast_pattern:only; content:"|4C 8B D1 B8 76 10 00 00 0F 05 C3|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6109; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-recon; sid:36723; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k information disclosure attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|48 89 74 24 30 48 89 7C 24 38 E8 D7 00 00 00|"; fast_pattern:only; content:"|4C 8B D1 B8 76 10 00 00 0F 05 C3|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6109; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-recon; sid:36722; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt"; flow:to_server,established; file_data; content:"|FF 75 10 FF 75 0C FF 75 08 6A 00 B8 60 11 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern; content:"|FF 75 08 6A 00 B8 5C 11 00 00 BA 00 03 FE 7F FF 12|"; within:50; metadata:service smtp; reference:cve,2015-6102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-recon; sid:36719; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt"; flow:to_client,established; file_data; content:"|FF 75 10 FF 75 0C FF 75 08 6A 00 B8 60 11 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern; content:"|FF 75 08 6A 00 B8 5C 11 00 00 BA 00 03 FE 7F FF 12|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-recon; sid:36718; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt"; flow:to_server,established; flowbits:isset,file.application; file_data; content:"<!ENTITY % remote SYSTEM"; fast_pattern:only; content:".dtd"; content:"%send|3B|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-118; classtype:attempted-user; sid:36713; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt"; flow:to_client,established; flowbits:isset,file.application; file_data; content:"<!ENTITY % remote SYSTEM"; fast_pattern:only; content:".dtd"; content:"%send|3B|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-118; classtype:attempted-user; sid:36712; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"LoadBitmapW"; nocase; content:"createCompatibleDC"; within:40; nocase; content:"CreateDCA"; within:30; nocase; content:"ExtFloodFill"; fast_pattern:only; content:"StartDocW"; nocase; content:"GdiFlush"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-admin; sid:36710; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"LoadBitmapW"; nocase; content:"createCompatibleDC"; within:40; nocase; content:"CreateDCA"; within:30; nocase; content:"ExtFloodFill"; fast_pattern:only; content:"StartDocW"; nocase; content:"GdiFlush"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-admin; sid:36709; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|01 00 E8 F9 19 00 00 85 C0 74 0F 45 33 C0 33 C9 41 8D 50 02 FF 15 C6 6E 01 00 33 C0 48 83 C4 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2478; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-119; classtype:attempted-admin; sid:36706; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|01 00 E8 F9 19 00 00 85 C0 74 0F 45 33 C0 33 C9 41 8D 50 02 FF 15 C6 6E 01 00 33 C0 48 83 C4 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2478; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-119; classtype:attempted-admin; sid:36705; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 00 6A 00 6A 00 6A 17 6A 32 6A 0B 68 F8 00 00 00 68 00 00 50 CC|"; fast_pattern:only; content:"|C7 45|"; content:"|EF BE 00 00|"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6101; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-115; classtype:attempted-admin; sid:36704; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 00 6A 00 6A 00 6A 17 6A 32 6A 0B 68 F8 00 00 00 68 00 00 50 CC|"; fast_pattern:only; content:"|C7 45|"; content:"|EF BE 00 00|"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6101; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-115; classtype:attempted-admin; sid:36703; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"p|00|e|00|e|00|r|00|d|00|i|00|s|00|t|00|s|00|v|00|c|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3966; classtype:attempted-user; sid:36805; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt"; flow:to_server,established; content:"/peerdistsvc.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-3966; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-095; classtype:attempted-user; sid:36804; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow"; flow:to_server,established; file_data; content:"|D7 CD C6 9A|"; byte_test:2,<,8,25,relative,little; metadata:service smtp; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-004; classtype:attempted-admin; sid:37087; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft .NET Silverlight manifest resource file information disclosure attempt"; flow:to_server,established; file_data; content:"|EC 2E 51 64 04 4F EC 39 D8 59 28 99 0B 2C AF 4E 96 64 6E 07 1B 0F 9C 76 8C 8E E5 5A 16 B2 3C C7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-129; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-recon; sid:36998; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET Silverlight manifest resource file information disclosure attempt"; flow:to_client,established; file_data; content:"|EC 2E 51 64 04 4F EC 39 D8 59 28 99 0B 2C AF 4E 96 64 6E 07 1B 0F 9C 76 8C 8E E5 5A 16 B2 3C C7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-129; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-recon; sid:36997; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows gpuenergydrv.sys driver privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"gpuenergydrv"; fast_pattern:only; content:"|40 EC 22 00|"; content:"CreateFile"; nocase; content:"DeviceIoControl"; within:50; nocase; content:"KERNEL32.dll"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6175; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-135; classtype:attempted-admin; sid:36990; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows gpuenergydrv.sys driver privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"gpuenergydrv"; fast_pattern:only; content:"|40 EC 22 00|"; content:"CreateFile"; nocase; content:"DeviceIoControl"; within:50; nocase; content:"KERNEL32.dll"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6175; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-135; classtype:attempted-admin; sid:36989; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows thread lock desynchronization null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 0A 6A 00 B8 4D 11 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6174; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-135; classtype:attempted-admin; sid:36977; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows thread lock desynchronization null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 0A 6A 00 B8 4D 11 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6174; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-135; classtype:attempted-admin; sid:36976; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys palette double free attempt"; flow:to_server,established; file_data; content:"|B8 1F 12 00 00 BA 00 03 FE 7F FF 12 83 C4 10 5D C2 0C 00 CC CC CC CC CC CC CC CC CC CC CC CC CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6173; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-135; classtype:attempted-admin; sid:36971; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys palette double free attempt"; flow:to_client,established; file_data; content:"|B8 1F 12 00 00 BA 00 03 FE 7F FF 12 83 C4 10 5D C2 0C 00 CC CC CC CC CC CC CC CC CC CC CC CC CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6173; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-135; classtype:attempted-admin; sid:36970; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"37d415438c5bd011bd3b00a0c911ce86"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-007; classtype:attempted-admin; sid:37278; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"37d415438c5bd011bd3b00a0c911ce86"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-007; classtype:attempted-admin; sid:37277; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"f|00|e|00|c|00|l|00|i|00|e|00|n|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x1B\x00|\x00\x5C)\x00f\x00e\x00c\x00l\x00i\x00e\x00n\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-007; classtype:attempted-user; sid:37276; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt"; flow:to_server,established; content:"/feclient.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0014; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-007; classtype:attempted-user; sid:37275; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_server,established; file_data; content:"|AC F1 FF FF 84 DB 74 1B 56 FF 15 10 60 41 00 68 0C B8 41 00 E8 F7 F8 FF FF 83 C4 04 E8 AA 61 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-008; classtype:attempted-user; sid:37272; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_client,established; file_data; content:"|AC F1 FF FF 84 DB 74 1B 56 FF 15 10 60 41 00 68 0C B8 41 00 E8 F7 F8 FF FF 83 C4 04 E8 AA 61 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-008; classtype:attempted-user; sid:37271; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_server,established; file_data; content:"|E8 33 F0 FF FF C7 44 24 50 00 00 00 00 8D 4C 24 28 FF 76 08 E8 9F 00 00 00 8D 4C 24 28 E8 E6 FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-008; classtype:attempted-user; sid:37270; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt"; flow:to_client,established; file_data; content:"|E8 33 F0 FF FF C7 44 24 50 00 00 00 00 8D 4C 24 28 FF 76 08 E8 9F 00 00 00 8D 4C 24 28 E8 E6 FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-008; classtype:attempted-user; sid:37269; rev:2;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 07|"; within:3; content:"|3D|"; distance:0; content:"|0C|"; distance:0; byte_test:1,>,150,0,relative; isdataat:150,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:37367; rev:1;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 04|"; within:3; content:"|3D|"; distance:0; content:"|0C|"; distance:0; byte_test:1,>,150,0,relative; isdataat:150,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:37366; rev:1;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 07|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,60,0,relative; content:"|01|"; within:1; distance:1; isdataat:60,relative; content:"|0C|"; distance:0; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:37365; rev:1;)
# alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 04|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,60,0,relative; content:"|01|"; within:1; distance:1; isdataat:60,relative; content:"|0C|"; distance:0; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:37364; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_server,established; file_data; content:"rXYZ"; byte_test:4,>,60,4,relative; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:37445; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt"; flow:to_server,established; file_data; content:"|72 FA 08 00 70 28 39 00 00 0A 72 14 09 00 70 18 20 80 00 00 00 7E 3B 00 00 0A 28 03 00 00 06 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-016; classtype:attempted-admin; sid:37587; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt"; flow:to_client,established; file_data; content:"|72 FA 08 00 70 28 39 00 00 0A 72 14 09 00 70 18 20 80 00 00 00 7E 3B 00 00 0A 28 03 00 00 06 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-016; classtype:attempted-admin; sid:37586; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt"; flow:to_server,established; file_data; content:"|68 AA AA AA AA 68 0F F0 00 00 68 12 01 00 00 8B 45 F8 50 FF 15 A8 90 41 00 3B F4 E8 92 F9 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0048; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-018; classtype:attempted-admin; sid:37585; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt"; flow:to_client,established; file_data; content:"|68 AA AA AA AA 68 0F F0 00 00 68 12 01 00 00 8B 45 F8 50 FF 15 A8 90 41 00 3B F4 E8 92 F9 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0048; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-018; classtype:attempted-admin; sid:37584; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt"; flow:to_server,established; file_data; content:"|C7 85 90 FE FF FF 41 41 41 41 8D 85 90 FE FF FF 50 68 00 04 00 00 8D 4D C8 E8 D1 91 FF FF 8D 4D C8 E8 6C 94 FF FF 8B F4 50 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-admin; sid:37570; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt"; flow:to_server,established; file_data; content:"|48 C7 84 24 48 01 00 00 41 41 41 41 4C 8D 84 24 48 01 00 00 BA 00 04 00 00 48 8D 8C 24 88 00 00 00 E8 85 E9 FF FF 48 8D 8C 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-admin; sid:37569; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt"; flow:to_client,established; file_data; content:"|C7 85 90 FE FF FF 41 41 41 41 8D 85 90 FE FF FF 50 68 00 04 00 00 8D 4D C8 E8 D1 91 FF FF 8D 4D C8 E8 6C 94 FF FF 8B F4 50 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-admin; sid:37568; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt"; flow:to_client,established; file_data; content:"|48 C7 84 24 48 01 00 00 41 41 41 41 4C 8D 84 24 48 01 00 00 BA 00 04 00 00 48 8D 8C 24 88 00 00 00 E8 85 E9 FF FF 48 8D 8C 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-admin; sid:37567; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt"; flow:to_server,established; file_data; content:"|59 49 49 51 65 67 59 47 4B 77 59 42 42 51 55 43 6F 49 49 51 62 6A 43 43 45 47 71 68 67 68 42 6D|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,9633; reference:cve,2003-0818; reference:cve,2005-1935; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:37635; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt"; flow:to_server,established; file_data; content:"<xsl:"; nocase; content:"../"; within:25; content:"@id"; within:25; nocase; content:"current|28 29|"; within:25; fast_pattern; nocase; content:"@id"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0033; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-019; classtype:attempted-dos; sid:37656; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt"; flow:to_client,established; file_data; content:"<xsl:"; nocase; content:"../"; within:25; content:"@id"; within:25; nocase; content:"current|28 29|"; within:25; fast_pattern; nocase; content:"@id"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0033; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-019; classtype:attempted-dos; sid:37655; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC Plug and Play registry key access buffer overflow attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; content:"|5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:37887; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC Plug and Play registry key access buffer overflow attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; content:"|5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00 5C 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:37886; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows EPOINTQF privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 B8 BB 10 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern:only; content:"|6A 00 B8 23 11 00 00 BA 00 03 FE 7F FF 12|"; content:"|6A 00 B8 D7 12 00 00 BA 00 03 FE 7F FF 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-admin; sid:38120; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows EPOINTQF privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 B8 BB 10 00 00 BA 00 03 FE 7F FF 12|"; fast_pattern:only; content:"|6A 00 B8 23 11 00 00 BA 00 03 FE 7F FF 12|"; content:"|6A 00 B8 D7 12 00 00 BA 00 03 FE 7F FF 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-admin; sid:38119; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt"; flow:to_server,established; file_data; content:"CreateProcessWithLogonW"; fast_pattern:only; content:"STARTUPINFO"; content:"dwFlags"; content:"STARTF_USESTDHANDLES"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-032; classtype:attempted-admin; sid:38115; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt"; flow:to_client,established; file_data; content:"CreateProcessWithLogonW"; fast_pattern:only; content:"STARTUPINFO"; content:"dwFlags"; content:"STARTF_USESTDHANDLES"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-032; classtype:attempted-admin; sid:38114; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ObReferenceObjectByHandle function privilege escalation attempt"; flow:to_server,established; file_data; content:"|8B 55 E4 8B 4A 18 D1 E9 3B C8 77 02 EB 38 8B 45 E4 8B 70 18 D1 EE 8B 4D E4 E8 03 AC FF FF 2B C6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-031; classtype:attempted-user; sid:38093; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ObReferenceObjectByHandle function privilege escalation attempt"; flow:to_client,established; file_data; content:"|8B 55 E4 8B 4A 18 D1 E9 3B C8 77 02 EB 38 8B 45 E4 8B 70 18 D1 EE 8B 4D E4 E8 03 AC FF FF 2B C6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-031; classtype:attempted-user; sid:38092; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GreCreateDisplayDC surface object use after free attempt"; flow:to_server,established; file_data; content:"|FF 15 5C 91 41 00 3B F4 E8 01 FC FF FF 89 45 F8 8B F4 8B 45 F8 50 68 58 58 41 00 FF 15 10 91 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-034; classtype:attempted-admin; sid:38084; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GreCreateDisplayDC surface object use after free attempt"; flow:to_client,established; file_data; content:"|FF 15 5C 91 41 00 3B F4 E8 01 FC FF FF 89 45 F8 8B F4 8B 45 F8 50 68 58 58 41 00 FF 15 10 91 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-034; classtype:attempted-admin; sid:38083; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ValidateParentDepth out of bounds read attempt"; flow:to_server,established; file_data; content:"|7D 7F 8D 85 7C FF FF FF 50 8B 4D D0 83 E9 01 51 6A 00 E8 32 F8 FF FF 83 C4 0C 89 45 94 8D 85 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-admin; sid:38072; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ValidateParentDepth out of bounds read attempt"; flow:to_client,established; file_data; content:"|7D 7F 8D 85 7C FF FF FF 50 8B 4D D0 83 E9 01 51 6A 00 E8 32 F8 FF FF 83 C4 0C 89 45 94 8D 85 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-admin; sid:38071; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows rpdesk remote code execution attempt"; flow:to_server,established; file_data; content:"|C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45 F0 00 00 00 00 8B F4 8D 45 F0 50 68 8E 6D 07 CB 6A 00 6A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-user; sid:38062; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows rpdesk remote code execution attempt"; flow:to_client,established; file_data; content:"|C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45 F0 00 00 00 00 8B F4 8D 45 F0 50 68 8E 6D 07 CB 6A 00 6A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-034; classtype:attempted-user; sid:38061; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC Direct detection of malicious DCE RPC request in suspicious pcap"; flow:to_server,established; content:"ZYZYZYZYZYZYZYZYZYZYZYZYZYZYZYZYZY"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1544; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-041; classtype:protocol-command-decode; sid:38264; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"DestroyWindow"; content:"SetWindowsHookEx"; distance:0; content:"InsertMenuItemW"; distance:0; fast_pattern; content:"CreatePopupMenu"; distance:0; content:"CreateMenu"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0167; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38492; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CreatePopupMenu win32k.sys use after free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"DestroyWindow"; content:"SetWindowsHookEx"; distance:0; content:"InsertMenuItemW"; distance:0; fast_pattern; content:"CreatePopupMenu"; distance:0; content:"CreateMenu"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0167; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38491; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|8B 4E 04 33 D2 83 C8 FF 53 8B 59 08 F7 F3|"; fast_pattern:only; content:"|E8 FD 01 00 00 8B 46 04 68 CC CC CC CC FF 30 B8 00 F0 00 00 E8|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0165; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-039; classtype:attempted-admin; sid:38488; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys PathToRegion buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 4E 04 33 D2 83 C8 FF 53 8B 59 08 F7 F3|"; fast_pattern:only; content:"|E8 FD 01 00 00 8B 46 04 68 CC CC CC CC FF 30 B8 00 F0 00 00 E8|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0165; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-039; classtype:attempted-admin; sid:38487; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"ImpersonateAnonymousToken"; fast_pattern:only; content:"GetSecurityDescriptorDacl"; nocase; content:"advapi32.dll"; nocase; content:"SetTokenInformation"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-048; classtype:attempted-admin; sid:38476; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows anonymous user token impersonation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ImpersonateAnonymousToken"; fast_pattern:only; content:"GetSecurityDescriptorDacl"; nocase; content:"advapi32.dll"; nocase; content:"SetTokenInformation"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-048; classtype:attempted-admin; sid:38475; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"a|00|p|00|i|00|-|00|m|00|s|00|-|00|w|00|i|00|n|00|-|00|a|00|p|00|p|00|m|00|o|00|d|00|e|00|l|00|-|00|r|00|u|00|n|00|t|00|i|00|m|00|e|00|-|00|l|00|1|00|-|00|1|00|-|00|0|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0148; reference:cve,2016-0160; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-041; classtype:attempted-user; sid:38470; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt"; flow:to_server,established; content:"/api-ms-win-appmodel-runtime-l1-1-0.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0148; reference:cve,2016-0160; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-041; classtype:attempted-user; sid:38469; rev:3;)
alert tcp any [135,139,445,49154] -> any any (msg:"OS-WINDOWS DCERPC Bind auth level packet privacy downgrade attempt"; flow:to_client,established; flowbits:isset,dcerpc.privacy; flowbits:unset,dcerpc.privacy; content:"|05 00 0C|"; content:"NTLMSSP|00 02 00 00 00|"; distance:0; content:"|0A 02 00 00|"; within:4; distance:-20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc, service netbios-ssn; reference:cve,2016-0128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-047; classtype:attempted-recon; sid:38462; rev:2;)
alert tcp any any -> any [135,139,445,49154] (msg:"OS-WINDOWS DCERPC Bind auth level packet privacy connection detected"; flow:to_server,established; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; flowbits:set,dcerpc.privacy; flowbits:noalert; metadata:service dcerpc, service netbios-ssn; reference:url,en.wikipedia.org/wiki/DCE/RPC; classtype:protocol-command-decode; sid:38461; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|52 6A 69 6A 47 6A 0F 8B 45|"; content:"|50 FF 15 28 11 41 00 C7 45|"; within:9; distance:1; content:"|07 00 00 80 C7 45|"; within:6; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-039; classtype:attempted-admin; sid:38460; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DrawMenuBarTemp memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|52 6A 69 6A 47 6A 0F 8B 45|"; content:"|50 FF 15 28 11 41 00 C7 45|"; within:9; distance:1; content:"|07 00 00 80 C7 45|"; within:6; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-039; classtype:attempted-admin; sid:38459; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows LSARPC LsapLookupSids denial of service attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; content:"|00 00 00 00|"; depth:4; offset:20; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0135; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-046; classtype:attempted-dos; sid:38458; rev:2;)
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt"; flow:to_server,established; file_data; content:"|E0 0C 6B 10 0B C7 67 10 B3 17 00 DD 01 06 62 DA 01 00|"; fast_pattern:only; content:"|33 05 71 71 BA BE 37 49 83 19 B5 DB EF 9C CC 36 01 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0178; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-061; classtype:attempted-dos; sid:38840; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt"; flow:to_client,established; file_data; content:"|E0 0C 6B 10 0B C7 67 10 B3 17 00 DD 01 06 62 DA 01 00|"; fast_pattern:only; content:"|33 05 71 71 BA BE 37 49 83 19 B5 DB EF 9C CC 36 01 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0178; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-061; classtype:attempted-dos; sid:38839; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt"; flow:to_server,established; file_data; content:"|C7 44 24 20 3E 01 00 00 FF 15 9F F9 00 00 48 8B C8 FF 15 9E F9 00 00 48 8B C8 FF 15 ED F6 00 00 48 8B 0D B6 C0 01 00 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0173; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38809; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt"; flow:to_client,established; file_data; content:"|C7 44 24 20 3E 01 00 00 FF 15 9F F9 00 00 48 8B C8 FF 15 9E F9 00 00 48 8B C8 FF 15 ED F6 00 00 48 8B 0D B6 C0 01 00 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0173; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38808; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt"; flow:to_server,established; file_data; content:"|55 8B EC 53 8B 5D 08 56 8B F1 57 8B 4E 10 3B CB 0F 82 95 00 00 00 8B 7D 0C 83 C8 FF 2B C1 3B C7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0180; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-060; classtype:attempted-user; sid:38804; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt"; flow:to_client,established; file_data; content:"|55 8B EC 53 8B 5D 08 56 8B F1 57 8B 4E 10 3B CB 0F 82 95 00 00 00 8B 7D 0C 83 C8 FF 2B C1 3B C7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0180; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-060; classtype:attempted-user; sid:38803; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt"; flow:to_server,established; file_data; content:"|FF 15 F5 0A 00 00 85 C0 0F 84 C5 01 00 00 48 8D 54 24 78 48 8B CB E8 E9 09 00 00 85 C0 0F 84 B0 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-user; sid:38802; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt"; flow:to_client,established; file_data; content:"|FF 15 F5 0A 00 00 85 C0 0F 84 C5 01 00 00 48 8D 54 24 78 48 8B CB E8 E9 09 00 00 85 C0 0F 84 B0 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-user; sid:38801; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|FF 15 34 F2 45 00|"; content:"|FF 15 30 F2 45 00|"; within:35; content:"|FF 15 38 F0 45 00|"; within:35; content:"|FF 15 34 F0 45 00|"; within:35; content:"|FF 15 30 F0 45 00|"; within:35; content:"|FF 15 40 F0 45 00|"; within:35; content:"|FF 15 3C F0 45 00|"; within:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-062; classtype:attempted-user; sid:38788; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|FF 15 34 F2 45 00|"; content:"|FF 15 30 F2 45 00|"; within:35; content:"|FF 15 38 F0 45 00|"; within:35; content:"|FF 15 34 F0 45 00|"; within:35; content:"|FF 15 30 F0 45 00|"; within:35; content:"|FF 15 40 F0 45 00|"; within:35; content:"|FF 15 3C F0 45 00|"; within:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-062; classtype:attempted-user; sid:38787; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt"; flow:to_server,established; file_data; content:"|00|{|00|b|00|0|00|1|00|9|00|e|00|3|00|b|00|f|00|-|00|e|00|7|00|e|00|5|00|-|00|4|00|5|00|3|00|c|00|-|00|a|00|2|00|e|00|4|00|-|00|d|00|2|00|c|00|1|00|8|00|c|00|a|00|0|00|8|00|6|00|6|00|f|00|}|00|"; fast_pattern:only; content:"|00|4|00|8|00|7|00|1|00|A|00|8|00|7|00|A|00|-|00|B|00|F|00|D|00|D|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|1|00|5|00|3|00|-|00|F|00|F|00|D|00|E|00|2|00|B|00|A|00|C|00|2|00|9|00|6|00|7|00|"; nocase; content:"%username%"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0194; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:38781; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt"; flow:to_client,established; file_data; content:"{|00|b|00|0|00|1|00|9|00|e|00|3|00|b|00|f|00|-|00|e|00|7|00|e|00|5|00|-|00|4|00|5|00|3|00|c|00|-|00|a|00|2|00|e|00|4|00|-|00|d|00|2|00|c|00|1|00|8|00|c|00|a|00|0|00|8|00|6|00|6|00|f|00|}|00|"; fast_pattern:only; content:"4|00|8|00|7|00|1|00|A|00|8|00|7|00|A|00|-|00|B|00|F|00|D|00|D|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|1|00|5|00|3|00|-|00|F|00|F|00|D|00|E|00|2|00|B|00|A|00|C|00|2|00|9|00|6|00|7|00|"; content:"|5C|..|5C|..|5C|..|5C|users|5C|%username%|5C|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0194; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:38780; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt"; flow:to_server,established; file_data; content:"|50 E8 4D FF FF FF 8B 4D F8 51 E8 64 FF FF FF 6A 00 6A 00 68 B0 11 41 00 6A 00 FF 15 10 10 41 00 89 45 F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-user; sid:38775; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt"; flow:to_client,established; file_data; content:"|50 E8 4D FF FF FF 8B 4D F8 51 E8 64 FF FF FF 6A 00 6A 00 68 B0 11 41 00 6A 00 FF 15 10 10 41 00 89 45 F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-user; sid:38774; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|08 01 00 00 00 19 28 03 C7 85 1C 02 00 00 38 04 00 00 C7 85 18 02 00 00 02 00 00 00 0F 1F 40 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0167; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38766; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|08 01 00 00 00 19 28 03 C7 85 1C 02 00 00 38 04 00 00 C7 85 18 02 00 00 02 00 00 00 0F 1F 40 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0167; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38765; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt"; flow:to_server,established; file_data; content:"|49 8B CC FF 15 3D 0A 00 00 4C 21 7C 24 40 48 8D 4D 50 4C 21 7C 24 48 33 D2 41 B8 C0 00 00 00 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0174; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-062; classtype:attempted-admin; sid:38762; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt"; flow:to_client,established; file_data; content:"|49 8B CC FF 15 3D 0A 00 00 4C 21 7C 24 40 48 8D 4D 50 4C 21 7C 24 48 33 D2 41 B8 C0 00 00 00 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0174; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-062; classtype:attempted-admin; sid:38761; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt"; flow:to_server,established; file_data; content:"|49 83 C9 FF C7 44 24 28 9E 02 00 00 BA 86 00 00 00 48 89 7C 24 20 E8 E5 0B 00 00 FF 15 57 18 01 00 48 8B 0D 08 F4 01 00 8B C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0196; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38760; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt"; flow:to_client,established; file_data; content:"|49 83 C9 FF C7 44 24 28 9E 02 00 00 BA 86 00 00 00 48 89 7C 24 20 E8 E5 0B 00 00 FF 15 57 18 01 00 48 8B 0D 08 F4 01 00 8B C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0196; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-062; classtype:attempted-admin; sid:38759; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|4D 00 00 00|"; byte_test:4,>,2000,80,relative,little; byte_extract:4,80,bitmap_offset,relative; byte_test:4,<,bitmap_offset,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-074; classtype:attempted-user; sid:39267; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4D 00 00 00|"; byte_test:4,>,2000,80,relative,little; byte_extract:4,80,bitmap_offset,relative; byte_test:4,<,bitmap_offset,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-074; classtype:attempted-user; sid:39266; rev:2;)
alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"OS-WINDOWS Microsoft Windows WPAD spoofing attempt"; flow:to_server,no_stream; content:"|85 00|"; depth:2; offset:2; byte_test:2,>,0,2,relative; content:" FHFAEBEE"; distance:0; detection_filter:track by_dst, count 500, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ns; reference:cve,2016-3213; reference:cve,2016-3236; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-077; classtype:attempted-user; sid:39227; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"4|00|2|00|C|00|B|00|F|00|A|00|A|00|7|00|-|00|A|00|4|00|A|00|7|00|-|00|4|00|7|00|B|00|B|00|-|00|B|00|4|00|2|00|2|00|-|00|B|00|D|00|1|00|0|00|E|00|9|00|D|00|0|00|2|00|7|00|0|00|0"; nocase; content:"0|00|D|00|8|00|A|00|F|00|6|00|B|00|7|00|-|00|E|00|F|00|D|00|5|00|-|00|4|00|F|00|6|00|D|00|-|00|A|00|8|00|3|00|4|00|-|00|3|00|1|00|4|00|7|00|4|00|0|00|A|00|B|00|8|00|C|00|A|00|A"; distance:0; nocase; content:"|2E 00 2E 00 5C|"; distance:0; nocase; content:"CoCreateInstance"; distance:0; nocase; content:"CLSIDFromString"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-078; classtype:attempted-admin; sid:39226; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"4|00|2|00|C|00|B|00|F|00|A|00|A|00|7|00|-|00|A|00|4|00|A|00|7|00|-|00|4|00|7|00|B|00|B|00|-|00|B|00|4|00|2|00|2|00|-|00|B|00|D|00|1|00|0|00|E|00|9|00|D|00|0|00|2|00|7|00|0|00|0"; nocase; content:"0|00|D|00|8|00|A|00|F|00|6|00|B|00|7|00|-|00|E|00|F|00|D|00|5|00|-|00|4|00|F|00|6|00|D|00|-|00|A|00|8|00|3|00|4|00|-|00|3|00|1|00|4|00|7|00|4|00|0|00|A|00|B|00|8|00|C|00|A|00|A"; distance:0; nocase; content:"|2E 00 2E 00 5C|"; distance:0; nocase; content:"CoCreateInstance"; distance:0; nocase; content:"CLSIDFromString"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-078; classtype:attempted-admin; sid:39225; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt"; flow:to_server,established; file_data; content:"|6A 01 68 4B A4 EB 00 68 BC 00 00 00 68 92 00 00 00 8B 45 D4 50 FF 15 04 80 4A 00 3B F4 E8 78 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-user; sid:39218; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt"; flow:to_client,established; file_data; content:"|6A 01 68 4B A4 EB 00 68 BC 00 00 00 68 92 00 00 00 8B 45 D4 50 FF 15 04 80 4A 00 3B F4 E8 78 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-user; sid:39217; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt"; flow:to_server,established; file_data; content:"|8B F0 85 F6 74 7A 57 6A 04 68 30 36 41 00 56 FF 15 0C F0 40 00 8B F8 85 FF 74 35 8D 45 E0 50 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-075; classtype:attempted-admin; sid:39216; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt"; flow:to_client,established; file_data; content:"|8B F0 85 F6 74 7A 57 6A 04 68 30 36 41 00 56 FF 15 0C F0 40 00 8B F8 85 FF 74 35 8D 45 E0 50 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-075; classtype:attempted-admin; sid:39215; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"WebDavNtlmHandler.classPK"; fast_pattern:only; content:"QueuedNtlmContext.classPK"; content:"SmbRequestThread.classPK"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-075; classtype:attempted-admin; sid:39214; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"WebDavNtlmHandler.classPK"; fast_pattern:only; content:"QueuedNtlmContext.classPK"; content:"SmbRequestThread.classPK"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-075; classtype:attempted-admin; sid:39213; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt"; flow:to_server,established; file_data; content:"|33 C5 50 8D 45 F4 64 A3 00 00 00 00 C7 85 2C FF FF FF 00 00 00 00 68 70 6D 42 00 8D 85 08 FF FF FF 50 E8 64 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-074; classtype:attempted-user; sid:39210; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt"; flow:to_client,established; file_data; content:"|33 C5 50 8D 45 F4 64 A3 00 00 00 00 C7 85 2C FF FF FF 00 00 00 00 68 70 6D 42 00 8D 85 08 FF FF FF 50 E8 64 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-074; classtype:attempted-user; sid:39209; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt"; flow:to_server,established; file_data; content:"|4D A8 51 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 68 14 F0 45 00 FF 15 40 20 46 00 85 C0 74 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-admin; sid:39196; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt"; flow:to_server,established; file_data; content:"|45 00 89 45 FC 8B 4D FC 51 FF 15 F8 F1 45 00 6A 00 6A 01 6A 06 8B 55 FC 52 FF 15 FC F1 45 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-admin; sid:39195; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt"; flow:to_client,established; file_data; content:"|4D A8 51 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 68 14 F0 45 00 FF 15 40 20 46 00 85 C0 74 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-admin; sid:39194; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt"; flow:to_client,established; file_data; content:"|45 00 89 45 FC 8B 4D FC 51 FF 15 F8 F1 45 00 6A 00 6A 01 6A 06 8B 55 FC 52 FF 15 FC F1 45 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-073; classtype:attempted-admin; sid:39193; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt"; flow:to_server,established; file_data; content:"|8B F4 68 F8 00 00 00 68 10 00 00 80 6A 05 68 01 00 00 80 8B 45 90 50 FF 15 04 B0 41 00 3B F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39517; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt"; flow:to_client,established; file_data; content:"|8B F4 68 F8 00 00 00 68 10 00 00 80 6A 05 68 01 00 00 80 8B 45 90 50 FF 15 04 B0 41 00 3B F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39516; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt"; flow:to_server,established; file_data; content:"|6A 70 6A 05 6A 05 6A 01 6A 01 6A FF 8B 15 B0 DD 45 00 52 A1 B4 DD 45 00 50 FF 15 08 02 46 00 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3254; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39509; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt"; flow:to_client,established; file_data; content:"|6A 70 6A 05 6A 05 6A 01 6A 01 6A FF 8B 15 B0 DD 45 00 52 A1 B4 DD 45 00 50 FF 15 08 02 46 00 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3254; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39508; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt"; flow:to_server,established; file_data; content:"|FF 15 28 50 41 00 50 68 60 12 40 00 6A 04 FF 15 28 51 41 00 A3 F4 C7 41 00 A1 F0 C7 41 00 50 FF 15 40 51 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3250; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39496; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt"; flow:to_client,established; file_data; content:"|FF 15 28 50 41 00 50 68 60 12 40 00 6A 04 FF 15 28 51 41 00 A3 F4 C7 41 00 A1 F0 C7 41 00 50 FF 15 40 51 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3250; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39495; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt"; flow:to_server,established; file_data; content:"|FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 6A 00 B8 7E 11 00 00 8B 15 98 EC 45 00 FF D2 83 C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3249; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39483; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt"; flow:to_client,established; file_data; content:"|FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 6A 00 B8 7E 11 00 00 8B 15 98 EC 45 00 FF D2 83 C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3249; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-090; classtype:attempted-admin; sid:39482; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k out of bound read attempt"; flow:to_server,established; file_data; content:"|FF 15 10 50 41 00 89 45 D0 83 7D E0 00 74 12|"; content:"|1E 02 00 00 68 47 02 00 00 8B 55 DC 52 8D 45 E4 50 8B 4D D8 51 FF 15 0C 50 41 00 E9 D1 FE FF FF|"; within:500; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3251; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39481; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k out of bound read attempt"; flow:to_client,established; file_data; content:"|FF 15 10 50 41 00 89 45 D0 83 7D E0 00 74 12|"; content:"|1E 02 00 00 68 47 02 00 00 8B 55 DC 52 8D 45 E4 50 8B 4D D8 51 FF 15 0C 50 41 00 E9 D1 FE FF FF|"; within:500; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3251; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39480; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|B8 0F 11 00 00 BA 00 03 FE 7F FF 12 C2 08 00|"; fast_pattern:only; content:"|B8 20 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00|"; content:"|B8 23 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00|"; content:"|B8 0A 11 00 00 BA 00 03 FE 7F FF 12 C2 18 00|"; content:"|B8 09 11 00 00 BA 00 03 FE 7F FF 12 C2 18 00|"; content:"|B8 27 11 00 00 BA 00 03 FE 7F FF 12 C2 14 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39479; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|B8 0F 11 00 00 BA 00 03 FE 7F FF 12 C2 08 00|"; fast_pattern:only; content:"|B8 20 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00|"; content:"|B8 23 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00|"; content:"|B8 0A 11 00 00 BA 00 03 FE 7F FF 12 C2 18 00|"; content:"|B8 09 11 00 00 BA 00 03 FE 7F FF 12 C2 18 00|"; content:"|B8 27 11 00 00 BA 00 03 FE 7F FF 12 C2 14 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-090; classtype:attempted-admin; sid:39478; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|53 00 00 00|"; content:"|00 00 00|"; within:3; distance:21; content:"|4C 00 00 00|"; within:4; distance:20; byte_test:4,>=,4096,-8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3304; reference:cve,2017-11212; reference:cve,2017-11262; reference:cve,2017-3121; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-097; classtype:attempted-user; sid:39844; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|53 00 00 00|"; content:"|00 00 00|"; within:3; distance:21; content:"|4C 00 00 00|"; within:4; distance:20; byte_test:4,>=,4096,-8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3304; reference:cve,2017-11212; reference:cve,2017-11262; reference:cve,2017-3121; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-097; classtype:attempted-user; sid:39843; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt"; flow:to_server,established; file_data; content:"|50 C7 44 24 10 00 00 00 00 C7 44 24 18 5C 19 34 FC C7 44 24 1C 3C 1F 00 00 FF 15 14 60 40 00 8B F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3309; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-098; classtype:attempted-admin; sid:39842; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt"; flow:to_client,established; file_data; content:"|50 C7 44 24 10 00 00 00 00 C7 44 24 18 5C 19 34 FC C7 44 24 1C 3C 1F 00 00 FF 15 14 60 40 00 8B F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3309; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-098; classtype:attempted-admin; sid:39841; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|4F 00 00 00|"; content:"|28 00 00 00|"; within:4; distance:136; byte_test:4,>,0x00900000,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3262; reference:cve,2016-3301; reference:cve,2016-3303; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-120; classtype:attempted-user; sid:39825; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4F 00 00 00|"; content:"|28 00 00 00|"; within:4; distance:136; byte_test:4,>,0x00900000,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3262; reference:cve,2016-3301; reference:cve,2016-3303; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-120; classtype:attempted-user; sid:39824; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 85 C0 74 0A B9 07 00 00 00 E8 3F A3 FF FF E8 A2 A4 FF FF E8 EB 8D FF FF 85 C0 74 0C 48 8D 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3308; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-098; classtype:attempted-admin; sid:39819; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 85 C0 74 0A B9 07 00 00 00 E8 3F A3 FF FF E8 A2 A4 FF FF E8 EB 8D FF FF 85 C0 74 0C 48 8D 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3308; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-098; classtype:attempted-admin; sid:39818; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|07 3F 15 3F 22 3F DC 3F E9 3F F6 3F 00 F0 03 00 8C 00 00 00 01 30 34 30 62 30 94 30 C4 30 F2 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-098; classtype:attempted-admin; sid:39815; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|07 3F 15 3F 22 3F DC 3F E9 3F F6 3F 00 F0 03 00 8C 00 00 00 01 30 34 30 62 30 94 30 C4 30 F2 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-098; classtype:attempted-admin; sid:39814; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt"; flow:to_server,established; file_data; content:"|E9 26 D0 04 00 E9 F3 89 01 00 E9 18 B4 00 00 E9 35 6D 02 00 E9 50 A2 03 00 E9 8C B2 02 00 E9 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-098; classtype:attempted-admin; sid:39809; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt"; flow:to_client,established; file_data; content:"|E9 26 D0 04 00 E9 F3 89 01 00 E9 18 B4 00 00 E9 35 6D 02 00 E9 50 A2 03 00 E9 8C B2 02 00 E9 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-098; classtype:attempted-admin; sid:39808; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt"; flow:to_server,established; file_data; content:"|52 53 44 53 7B 49 9E D5 8C CA 24 43 BF 3F AE DA 94 BA 10 E4 02 00 00 00 5C 5C 72 65 64 74 65 61 6D 5C 73 65 63 75 72 69|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-034; classtype:attempted-user; sid:39863; rev:1;)
alert tcp $HOME_NET 2049 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt"; flow:to_client,established; flowbits:set,nfs_server_access_reply; content:"|00 00 00 01 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 00|"; within:4; distance:8; content:"|00 00 00 01 00 00 00 02|"; within:8; distance:4; content:"|00 00 00 03|"; within:4; distance:80; flowbits:noalert; reference:cve,2013-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-014; classtype:attempted-dos; sid:40065; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt"; flow:to_server,established; flowbits:isset,nfs_server_access_reply; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A3|"; within:4; distance:4; content:"|00 00 00 0E|"; within:4; distance:4; metadata:policy security-ips drop; reference:cve,2013-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-014; classtype:attempted-dos; sid:40064; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt"; flow:to_server,established; content:"GSSAPI"; nocase; content:"maxbufsize="; nocase; byte_test:10,>,105,0,relative,string,dec; byte_test:10,<,121,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ldap; reference:cve,2016-3368; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-110; classtype:attempted-admin; sid:40129; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt"; flow:to_server,established; file_data; content:"|02 16 9A 28 28 00 00 0A 28 0C 00 00 06 00 00 2B 08 00 28 0E 00 00 06 00 00 00 DE 11 0B 00 07 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-111; classtype:attempted-user; sid:40128; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt"; flow:to_client,established; file_data; content:"|02 16 9A 28 28 00 00 0A 28 0C 00 00 06 00 00 2B 08 00 28 0E 00 00 06 00 00 00 DE 11 0B 00 07 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-111; classtype:attempted-user; sid:40127; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 privilege escalation attempt"; flow:to_server,established; file_data; content:"|70 16 17 28 04 00 00 06 0A 06 72 15 00 00 70 6F 0B 00 00 0A 0B 00 07 6F 0C 00 00 0A 0C 16 0D 38 98|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3373; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-111; classtype:attempted-admin; sid:40115; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 privilege escalation attempt"; flow:to_client,established; file_data; content:"|70 16 17 28 04 00 00 06 0A 06 72 15 00 00 70 6F 0B 00 00 0A 0B 00 07 6F 0C 00 00 0A 0C 16 0D 38 98|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3373; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-111; classtype:attempted-admin; sid:40114; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt"; flow:to_server,established; file_data; content:"|FA 11 00 00 85 C0 74 05 6A 02 59 CD 29 A3 20 DE 45 00 89 0D 1C DE 45 00 89 15 18 DE 45 00 89 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-106; classtype:attempted-admin; sid:40113; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt"; flow:to_client,established; file_data; content:"|FA 11 00 00 85 C0 74 05 6A 02 59 CD 29 A3 20 DE 45 00 89 0D 1C DE 45 00 89 15 18 DE 45 00 89 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-106; classtype:attempted-admin; sid:40112; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"D|00|:|00|(|00|A|00 3B 00|O|00|I|00|C|00|I|00 3B 00|G|00|A|00|W|00|D|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|-|00|0|00|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3305; reference:cve,2016-3306; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-111; classtype:attempted-user; sid:40111; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"D|00|:|00|(|00|A|00 3B 00|O|00|I|00|C|00|I|00 3B 00|G|00|A|00|W|00|D|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|-|00|0|00|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3305; reference:cve,2016-3306; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-111; classtype:attempted-user; sid:40110; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 68 6E 07 00 00 68 08 E2 00 00 6A 67 68 DB 00 00 00 8B 0D 34 EC 45 00 51 8B 15 38 EC 45 00 52 8B 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-106; classtype:attempted-admin; sid:40097; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 68 6E 07 00 00 68 08 E2 00 00 6A 67 68 DB 00 00 00 8B 0D 34 EC 45 00 51 8B 15 38 EC 45 00 52 8B 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-106; classtype:attempted-admin; sid:40096; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys sbit_Embolden use after free attempt"; flow:to_server,established; file_data; content:"|68 B4 D5 46 00 E8 A2 B1 FF FF 83 C4 08 EB 05 E9 1F 09 00 00 8B F4 8D 45 AC 50 6A 00 8B 4D B8 51 8B 55 C4 52 FF 15 10 C0 48 00 3B F4 E8 33 51 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-admin; sid:40428; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys sbit_Embolden use after free attempt"; flow:to_client,established; file_data; content:"|68 B4 D5 46 00 E8 A2 B1 FF FF 83 C4 08 EB 05 E9 1F 09 00 00 8B F4 8D 45 AC 50 6A 00 8B 4D B8 51 8B 55 C4 52 FF 15 10 C0 48 00 3B F4 E8 33 51 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-admin; sid:40427; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI+ EMF buffer overread attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; depth:4; offset:40; byte_jump:4,4,little,from_beginning; content:"|4C 00 00 00|"; distance:0; content:"|28 00 00 00|"; within:4; distance:96; content:"|08 00|"; within:2; distance:10; byte_jump:4,-112,relative,little,post_offset -8; content:"|0E 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-user; sid:40426; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ EMF buffer overread attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; depth:4; offset:40; byte_jump:4,4,little,from_beginning; content:"|4C 00 00 00|"; distance:0; content:"|28 00 00 00|"; within:4; distance:96; content:"|08 00|"; within:2; distance:10; byte_jump:4,-112,relative,little,post_offset -8; content:"|0E 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-user; sid:40425; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DFS client driver privilege escalation attempt"; flow:to_server,established; file_data; content:"DangerousGetHandle"; fast_pattern:only; content:"SafeHandleZeroOrMinusOneIsInvalid"; content:"ReleaseHandle"; content:"|5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|D|00|f|00|s|00|C|00|l|00|i|00|e|00|n|00|t|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7185; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-123; classtype:attempted-user; sid:40419; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DFS client driver privilege escalation attempt"; flow:to_client,established; file_data; content:"DangerousGetHandle"; fast_pattern:only; content:"SafeHandleZeroOrMinusOneIsInvalid"; content:"ReleaseHandle"; content:"|5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|D|00|f|00|s|00|C|00|l|00|i|00|e|00|n|00|t|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7185; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-123; classtype:attempted-user; sid:40418; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows registry hive privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 1F FE 73 10 00 00 0A 28 02 00 00 06 26 06 17 28 05 00 00 06 0B 28 03 00 00 06 26 06 28 06 00 00 06 16 FE 01 13 05 11 05 2C 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40413; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows registry hive privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 1F FE 73 10 00 00 0A 28 02 00 00 06 26 06 17 28 05 00 00 06 0B 28 03 00 00 06 26 06 28 06 00 00 06 16 FE 01 13 05 11 05 2C 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40412; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys ExtTextOut memory corruption attempt"; flow:to_server,established; file_data; content:"|E8 E9 A6 FF FF 8B F4 6A 00 6A 33 8B 45 CC 50 8D 4D D8 51 68 04 0C 00 00 6A 07 6A 18 8B 55 9C 52 FF 15 38 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3270; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-120; classtype:attempted-admin; sid:40411; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys ExtTextOut memory corruption attempt"; flow:to_client,established; file_data; content:"|E8 E9 A6 FF FF 8B F4 6A 00 6A 33 8B 45 CC 50 8D 4D D8 51 68 04 0C 00 00 6A 07 6A 18 8B 55 9C 52 FF 15 38 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3270; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-120; classtype:attempted-admin; sid:40410; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows user hive impersonation privelege escalation attempt"; flow:to_server,established; file_data; content:"|28 1C 00 00 0A 00 00 00 00 06 20 5B 08 47 00 07 28 02 00 00 2B 0C 00 DE 16 00 09 14 FE 03 13 05 11 05 2C 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40403; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows user hive impersonation privelege escalation attempt"; flow:to_client,established; file_data; content:"|28 1C 00 00 0A 00 00 00 00 06 20 5B 08 47 00 07 28 02 00 00 2B 0C 00 DE 16 00 09 14 FE 03 13 05 11 05 2C 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40402; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 arbitrary registry key access privelege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|11 04 6F 24 00 00 0A 07 72 EE 01 00 70 28 0F 00 00 06 0A 00|"; fast_pattern:only; content:"|28 28 00 00 0A 6F 29 00 00 0A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40401; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 arbitrary registry key access privelege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|11 04 6F 24 00 00 0A 07 72 EE 01 00 70 28 0F 00 00 06 0A 00|"; fast_pattern:only; content:"|28 28 00 00 0A 6F 29 00 00 0A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; classtype:attempted-admin; sid:40400; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Diagnostics Hub dll load from stream attempt"; flow:to_server,established; file_data; content:"|B7 F6 8A 0D D5 EF 6D 4F A8 34 31 47 40 AB 8C AA|"; fast_pattern:only; content:"|A7 FA CB 42 A7 A4 BB 47 B4 22 BD 10 E9 D0 27 00|"; content:"CoCreateGuid"; content:"StringFromIID"; content:"CoCreateInstance"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7188; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-125; classtype:attempted-admin; sid:40399; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Diagnostics Hub dll load from stream attempt"; flow:to_client,established; file_data; content:"|B7 F6 8A 0D D5 EF 6D 4F A8 34 31 47 40 AB 8C AA|"; fast_pattern:only; content:"|A7 FA CB 42 A7 A4 BB 47 B4 22 BD 10 E9 D0 27 00|"; content:"CoCreateGuid"; content:"StringFromIID"; content:"CoCreateInstance"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7188; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-125; classtype:attempted-admin; sid:40398; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Edge DACL privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtCreateLowBoxToken|00|"; content:"m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|e|00|d|00|g|00|e|00|.|00|e|00|x|00|e|00 00|"; content:"S|00 3A 00 28 00|M|00|L|00 3B 00|O|00|I|00|C|00|I|00 3B 00|N|00|W|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|6|00|-|00|0|00 29 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3388; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-admin; sid:40397; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Edge DACL privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtCreateLowBoxToken|00|"; content:"m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|e|00|d|00|g|00|e|00|.|00|e|00|x|00|e|00 00|"; content:"S|00 3A 00 28 00|M|00|L|00 3B 00|O|00|I|00|C|00|I|00 3B 00|N|00|W|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|6|00|-|00|0|00 29 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3388; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-admin; sid:40396; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt"; flow:to_server,established; file_data; content:"|F0 FF FF FF 10 B4 00 00 50 B4 00 00 78 B4 00 00 F0 FF FF FF 33 00 31 00 00 00 00 00 70 41 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0070; reference:cve,2017-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-admin; sid:40395; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt"; flow:to_client,established; file_data; content:"|F0 FF FF FF 10 B4 00 00 50 B4 00 00 78 B4 00 00 F0 FF FF FF 33 00 31 00 00 00 00 00 70 41 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0070; reference:cve,2017-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-admin; sid:40394; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Ntoskrnl privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.dat; file_data; content:"sk|00 00|"; content:"|01 00|"; within:2; distance:16; byte_test:4,>,0xFFFF,2,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3376; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-123; classtype:attempted-admin; sid:40393; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Ntoskrnl privilege escalation attempt"; flow:to_server,established; file_data; content:"regf"; depth:4; content:"sk|00 00|"; content:"|01 00|"; within:2; distance:16; byte_test:4,>,0xFFFF,2,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3376; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-123; classtype:attempted-admin; sid:40392; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt"; flow:to_server,established; file_data; content:"|89 45 F4 E8 8A FE FF FF 53 FF 15 48 10 00 01 8B 3D 4C 10 00 01 8D 45 F0 50 FF D7 50 E8 A7 FE FF FF FF D7 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7211; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-123; classtype:attempted-user; sid:40381; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt"; flow:to_client,established; file_data; content:"|89 45 F4 E8 8A FE FF FF 53 FF 15 48 10 00 01 8B 3D 4C 10 00 01 8D 45 F0 50 FF D7 50 E8 A7 FE FF FF FF D7 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7211; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-123; classtype:attempted-user; sid:40380; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft GDI local privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"ScaleWindowExtEx"; content:"SetWorldTransform"; content:"SetMapperFlags"; content:"ModifyWorldTransform"; fast_pattern:only; content:"SetViewportOrgEx"; content:"GradientFill"; metadata:service smtp; reference:cve,2016-3266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-123; classtype:attempted-admin; sid:40377; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft GDI local privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ScaleWindowExtEx"; content:"SetWorldTransform"; content:"SetMapperFlags"; content:"ModifyWorldTransform"; fast_pattern:only; content:"SetViewportOrgEx"; content:"GradientFill"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-123; classtype:attempted-admin; sid:40376; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows insecure BoundaryDescriptor privilege escalation attempt"; flow:to_server,established; file_data; content:"CreatePrivateNamespace"; content:"_|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|E|00|d|00|g|00|e|00 00|"; content:"S|00 3A 00 28 00|M|00|L|00 3B 00|O|00|I|00|C|00|I|00 3B 00|N|00|W|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|6|00|-|00|0|00 29 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3387; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-admin; sid:40375; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows insecure BoundaryDescriptor privilege escalation attempt"; flow:to_client,established; file_data; content:"CreatePrivateNamespace"; content:"_|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|E|00|d|00|g|00|e|00 00|"; content:"S|00 3A 00 28 00|M|00|L|00 3B 00|O|00|I|00|C|00|I|00 3B 00|N|00|W|00 3B 00 3B 00 3B 00|S|00|-|00|1|00|-|00|1|00|6|00|-|00|0|00 29 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3387; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-admin; sid:40374; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Media Runtime malformed ASF codec memory corruption attempt"; flow:to_server,established; flowbits:isset,file.wma; file_data; content:"|40 9E 69 F8 4D 5B CF 11 A8 FD 00 80 5F 5C 44 2B|"; content:"|00 00 00 00|"; within:4; distance:42; metadata:service smtp; reference:cve,2009-2525; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:40354; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt"; flow:to_server,established; file_data; content:"|69 9A A6 19 76 7A 7E 73 88 84 FD C7 1E 6D 73 67 4A 5F 75 73 65 6C 65 73 73 42 4D D3 0C C9 C3 B9 BD C1 5C C1 EC 84 34 CB 25 73 01 7E 14 41 65 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3369; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-110; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-dos; sid:40556; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt"; flow:to_client,established; file_data; content:"|69 9A A6 19 76 7A 7E 73 88 84 FD C7 1E 6D 73 67 4A 5F 75 73 65 6C 65 73 73 42 4D D3 0C C9 C3 B9 BD C1 5C C1 EC 84 34 CB 25 73 01 7E 14 41 65 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3369; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-110; reference:url,www.talosintel.com/vulnerability-reports/; classtype:attempted-dos; sid:40555; rev:3;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"E|00|C|00|9|00|8|00|4|00|A|00|E|00|C|00|-|00|A|00|0|00|F|00|9|00|-|00|4|00|7|00|E|00|9|00|-|00|9|00|0|00|1|00|F|00|-|00|7|00|1|00|4|00|1|00|5|00|A|00|6|00|6|00|3|00|4|00|5|00|B|00|"; fast_pattern:only; content:"CreateVirtualDiskParameters"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7224; reference:cve,2016-7225; reference:cve,2016-7226; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-138; classtype:attempted-user; sid:40694; rev:2;)
alert tcp any $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows VHDMP generic privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"E|00|C|00|9|00|8|00|4|00|A|00|E|00|C|00|-|00|A|00|0|00|F|00|9|00|-|00|4|00|7|00|E|00|9|00|-|00|9|00|0|00|1|00|F|00|-|00|7|00|1|00|4|00|1|00|5|00|A|00|6|00|6|00|3|00|4|00|5|00|B|00|"; fast_pattern:only; content:"CreateVirtualDiskParameters"; content:"CreateVirtualDiskFlag"; content:"OpenVirtualDiskFlag"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7224; reference:cve,2016-7225; reference:cve,2016-7226; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-138; classtype:attempted-user; sid:40693; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt"; flow:to_server,established; file_data; content:"|8D 45 A8 50 68 B0 A7 41 00 6A 00 6A 61 8B 4D A4 51 6A 00 FF 15 20 31 41 00 50 FF 15 00 30 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-user; sid:40688; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys GetDIBits out of bounds read attempt"; flow:to_client,established; file_data; content:"|8D 45 A8 50 68 B0 A7 41 00 6A 00 6A 61 8B 4D A4 51 6A 00 FF 15 20 31 41 00 50 FF 15 00 30 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-user; sid:40687; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt"; flow:to_server,established; file_data; content:"|BC D5 FF FF FF 15 04 30 40 00 46 3B F7 7C EE 83 BD 9C D5 FF FF 00 0F 84 9A 01 00 00 8B 0D 88 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-user; sid:40686; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32kfull.sys MegSetLensContextInformation use after free attempt"; flow:to_client,established; file_data; content:"|BC D5 FF FF FF 15 04 30 40 00 46 3B F7 7C EE 83 BD 9C D5 FF FF 00 0F 84 9A 01 00 00 8B 0D 88 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-user; sid:40685; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt"; flow:to_server,established; file_data; content:"New-ScheduledTaskAction"; content:"-Execute"; within:15; content:"|5C 5C|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-130; classtype:attempted-admin; sid:40678; rev:3;)
alert tcp any $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Task Scheduler SystemLocal NTLM remote path authentication challenge attempt"; flow:to_client,established; file_data; content:"New-ScheduledTaskAction"; content:"-Execute"; within:15; content:"|5C 5C|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-130; classtype:attempted-admin; sid:40677; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"1|00|3|00|4|00|2|00|F|00|D|00|9|00|E|00|-|00|E|00|6|00|A|00|7|00|-|00|4|00|6|00|2|00|1|00|-|00|9|00|A|00|B|00|F|00|-|00|E|00|B|00|5|00|1|00|E|00|E|00|0|00|A|00|6|00|B|00|3|00|D|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-130; classtype:attempted-user; sid:40672; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft windows InProcServer32 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"1|00|3|00|4|00|2|00|F|00|D|00|9|00|E|00|-|00|E|00|6|00|A|00|7|00|-|00|4|00|6|00|2|00|1|00|-|00|9|00|A|00|B|00|F|00|-|00|E|00|B|00|5|00|1|00|E|00|E|00|0|00|A|00|6|00|B|00|3|00|D|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-130; classtype:attempted-user; sid:40671; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15 8D 4A 07 00 45 33 C9 41 B8 02 00 00 00 33 D2 B1 1B FF 15 7A 4A 07 00 45 33 C9 41 B8 02 00 00 00 33 D2 B1 12 FF 15 67 4A 07 00 33 C0 48 83 C4 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40666; rev:2;)
alert tcp any $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15 8D 4A 07 00 45 33 C9 41 B8 02 00 00 00 33 D2 B1 1B FF 15 7A 4A 07 00 45 33 C9 41 B8 02 00 00 00 33 D2 B1 12 FF 15 67 4A 07 00 33 C0 48 83 C4 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40665; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt"; flow:to_server,established; file_data; content:"|0F 28 05 F0 09 41 00 8B F8 8D 45 EC 50 0F 11 45 EC FF 15 14 C0 40 00 6A 00 8B D8 FF 15 10 C0 40 00 8B F0 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7215; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40664; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtGdiSetBitmapAttributes privilege escalation attempt"; flow:to_client,established; file_data; content:"|0F 28 05 F0 09 41 00 8B F8 8D 45 EC 50 0F 11 45 EC FF 15 14 C0 40 00 6A 00 8B D8 FF 15 10 C0 40 00 8B F0 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7215; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40663; rev:2;)
alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 20 0F 43 45|"; content:"|0F 57 C0 6A 04 6A 00 6A 03 68 9F 01 12 00 50 66 0F D6 45 A8 FF 15|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3340; reference:cve,2016-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-134; classtype:attempted-admin; sid:40658; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 20 0F 43 45|"; content:"|0F 57 C0 6A 04 6A 00 6A 03 68 9F 01 12 00 50 66 0F D6 45 A8 FF 15|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3340; reference:cve,2016-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-134; classtype:attempted-admin; sid:40657; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt"; flow:to_server,established; content:"|FF|SMBs|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x80,0,relative; content:"|A1 84|"; within:2; distance:50; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-7237; reference:cve,2017-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-004; classtype:attempted-dos; sid:40759; rev:3;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt"; flow:to_server,established; file_data; content:"|8B 4D 08 83 E9 14 89 4D F0 8B 55 F0 52 6A F4 8B 45 FC 50 FF 15 1C 11 41 00 8B 4D FC 51 68 38 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40887; rev:2;)
alert tcp any $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt"; flow:to_client,established; file_data; content:"|8B 4D 08 83 E9 14 89 4D F0 8B 55 F0 52 6A F4 8B 45 FC 50 FF 15 1C 11 41 00 8B 4D FC 51 68 38 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-135; classtype:attempted-admin; sid:40886; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS empty PostScript Type 1 font pfb file null dereference attempt"; flow:to_client,established; flowbits:isset,file.psfont; content:"Content-Length|3A| 0"; fast_pattern:only; http_header; metadata:service http; reference:cve,2016-7259; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-151; classtype:attempted-user; sid:40990; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt"; flow:to_server,established; file_data; content:"|48 89 7C 24 30 C7 44 24 28 00 00 20 02 C7 44 24 20 03 00 00 00 45 33 C9 BA 02 00 00 80 45 8D 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7292; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-admin; sid:40985; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt"; flow:to_client,established; file_data; content:"|48 89 7C 24 30 C7 44 24 28 00 00 20 02 C7 44 24 20 03 00 00 00 45 33 C9 BA 02 00 00 80 45 8D 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7292; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-admin; sid:40984; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 00 04 00 00|"; content:"|51|"; within:20; content:"|68 00 04 00 00|"; within:15; content:"|52 68 02 04 39 00|"; within:15; content:"|50 53 53 53 51 E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-user; sid:40956; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 00 04 00 00|"; content:"|51|"; within:20; content:"|68 00 04 00 00|"; within:15; content:"|52 68 02 04 39 00|"; within:15; content:"|50 53 53 53 51 E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-user; sid:40955; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 00 04 00 00|"; content:"|51|"; within:20; content:"|68 00 04 00 00|"; within:15; content:"|52 68 02 04 39 00|"; within:15; content:"|50 53 53 53 51 FF|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-user; sid:40954; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 00 04 00 00|"; content:"|51|"; within:20; content:"|68 00 04 00 00|"; within:15; content:"|52 68 02 04 39 00|"; within:15; content:"|50 53 53 53 51 FF|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-149; classtype:attempted-user; sid:40953; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|68 00 00 CF 10 68 10 F0 45 00 68 1C F0 45 00 6A 00 FF 15 E8 21 46 00 89 45 F8 8B 4D F8 51 FF 15 E4 21 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-151; classtype:attempted-admin; sid:40948; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|68 00 00 CF 10 68 10 F0 45 00 68 1C F0 45 00 6A 00 FF 15 E8 21 46 00 89 45 F8 8B 4D F8 51 FF 15 E4 21 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-151; classtype:attempted-admin; sid:40947; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt"; flow:established,to_client; content:"RegDeleteValueA"; nocase; content:"SystemDefaultEUDCFont"; fast_pattern; nocase; metadata:service http; reference:cve,2010-4398; reference:url,docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-011; classtype:attempted-admin; sid:41365; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft GDI+ privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 02 6A 00 6A 08 6A 06 8B|"; content:"|E8|"; within:15; content:"|68 DE 00 00 00 68 24 05 00 00 68 00 00 DF 15 68 35 73 4E 0A 68|"; within:50; content:"|6A 00 E8|"; within:7; content:"|6A 00 68 43 40 00 00 6A 00 6A 00 8B|"; within:50; content:"|E8|"; within:15; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0081; reference:cve,2017-0188; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41998; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft GDI+ privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 02 6A 00 6A 08 6A 06 8B|"; content:"|E8|"; within:15; content:"|68 DE 00 00 00 68 24 05 00 00 68 00 00 DF 15 68 35 73 4E 0A 68|"; within:50; content:"|6A 00 E8|"; within:7; content:"|6A 00 68 43 40 00 00 6A 00 6A 00 8B|"; within:50; content:"|E8|"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0081; reference:cve,2017-0188; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41997; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DDI privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|50 68 B6 00 00 00 6A 02 6A 04 8B|"; byte_extract:4,1,mov_value,relative; byte_extract:3,3,call_value,relative; content:"|6A 00 68 CE 01 00 00 6A 02 6A 01|"; distance:0; byte_test:4,=,mov_value,2,relative; byte_test:3,=,call_value,9,relative; content:"|6A 00 68 CE 01 00 00 6A 02 6A 01|"; distance:0; byte_test:4,=,mov_value,2,relative; byte_test:3,=,call_value,9,relative; content:"|68 95 01 00 00 68 24 05 00 00 68 00 00 FD 35 68 80 00 09 00 68|"; distance:0; content:"|68 82 00 00 00 E8|"; within:6; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41996; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DDI privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|50 68 B6 00 00 00 6A 02 6A 04 8B|"; byte_extract:4,1,mov_addr,relative; byte_extract:3,3,call_value,relative; content:"|6A 00 68 CE 01 00 00 6A 02 6A 01 8B|"; distance:0; byte_test:4,=,mov_addr,1,relative; byte_test:3,=,call_value,8,relative; content:"|6A 00 68 CE 01 00 00 6A 02 6A 01 8B|"; distance:0; byte_test:4,=,mov_addr,1,relative; byte_test:3,=,call_value,8,relative; content:"|68 95 01 00 00 68 24 05 00 00 68 00 00 FD 35 68 80 00 09 00 68|"; distance:0; content:"|68 82 00 00 00 E8|"; within:6; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41995; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; byte_test:2,>,0x8000,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-013; classtype:attempted-user; sid:41994; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; byte_test:2,>,0x8000,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-013; classtype:attempted-user; sid:41993; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 92 00 00 00 00 00 01 00 90 00 01 00 00 00 21 00 96 00 04 00 00 00 01 04 4C 00 01 00 00 00 01 04 9C 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41986; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 92 00 00 00 00 00 01 00 90 00 01 00 00 00 21 00 96 00 04 00 00 00 01 04 4C 00 01 00 00 00 01 04 9C 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41985; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt"; flow:to_server,established; file_data; content:"|72 AF 6E 09 4F 64 BC 6C 61 63 75 74 65 09 6F 64 62 6C 61 63 75 74 65 06 2E 61 63 75 AC 65 06 72|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41975; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt"; flow:to_client,established; file_data; content:"|72 AF 6E 09 4F 64 BC 6C 61 63 75 74 65 09 6F 64 62 6C 61 63 75 74 65 06 2E 61 63 75 AC 65 06 72|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41974; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 03 03 E8 00 00 00 00 BF 2B F8 C0 00 00 00 00 BF 2B F8 C0 FF 9E FF 06 04 10 03 AF 00 00 00 03 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0072; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41973; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 03 03 E8 00 00 00 00 BF 2B F8 C0 00 00 00 00 BF 2B F8 C0 FF 9E FF 06 04 10 03 AF 00 00 00 03 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0072; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41972; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt"; flow:to_server,established; file_data; content:"|03 8E 00 01 00 02 03 DF 03 E0 00 04 00 07 00 00 00 08 00 01 00 3A 00 01 00 08 00 06 00 0E 00 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-user; sid:41967; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt"; flow:to_client,established; file_data; content:"|03 8E 00 01 00 02 03 DF 03 E0 00 04 00 07 00 00 00 08 00 01 00 3A 00 01 00 08 00 06 00 0E 00 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-user; sid:41966; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 07 00 08 00 0A 00 16 00 1E 00 26 00 2E 00 36 00 3E FF FF FF FF 00 56 00 5E 00 01 00 00 00 01 01 6A 00 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41961; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 07 00 08 00 0A 00 16 00 1E 00 26 00 2E 00 36 00 3E FF FF FF FF 00 56 00 5E 00 01 00 00 00 01 01 6A 00 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41960; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|20 00 58 00 00 03 00 00 00 00 00 00 FD 58 00 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41941; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|20 00 58 00 00 03 00 00 00 00 00 00 FD 58 00 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-user; sid:41940; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k DDI use after free attempt"; flow:to_server,established; file_data; content:"|83 C4 0C 8D 45 DC 50 6A 00 6A 28 8B 4D E8 51 E8 FB 8E FF FF 89 45 F4 83 7D F4 00 7D 1A 8B 45 F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41931; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k DDI use after free attempt"; flow:to_client,established; file_data; content:"|83 C4 0C 8D 45 DC 50 6A 00 6A 28 8B 4D E8 51 E8 FB 8E FF FF 89 45 F4 83 7D F4 00 7D 1A 8B 45 F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41930; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k DDI use after free attempt"; flow:to_server,established; file_data; content:"|8B 45 A4 50 8B 4D C8 51 8B 55 EC 52 E8 70 9F FF FF 89 45 F8 83 7D F8 00 7D 15 8B 45 F8 50 68 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0078; reference:cve,2017-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41929; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k DDI use after free attempt"; flow:to_client,established; file_data; content:"|8B 45 A4 50 8B 4D C8 51 8B 55 EC 52 E8 70 9F FF FF 89 45 F8 83 7D F8 00 7D 15 8B 45 F8 50 68 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0078; reference:cve,2017-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41928; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt"; flow:to_server,established; file_data; content:"|C8 00 66 89 91 00 80 50 00 8D 45 F0 50 8D 4D 88 51 6A 01 6A 00 6A 06 8B 55 C0 52 E8 5C 9F FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41927; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt"; flow:to_client,established; file_data; content:"|C8 00 66 89 91 00 80 50 00 8D 45 F0 50 8D 4D 88 51 6A 01 6A 00 6A 06 8B 55 C0 52 E8 5C 9F FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41926; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Kaspersky Internet Security KLIF driver denial of service attempt"; flow:to_server,established; file_data; content:"|C7 45 E8 00 00 00 80 50 8D 45 D8 C7 45 F8 10 00 00 00 50 6A 10 8D 45 E8 50 6A 00 FF 75 D4 FF 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4305; reference:url,www.talosintelligence.com/reports/TALOS-2016-0167; classtype:attempted-dos; sid:39079; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Kaspersky Internet Security KLIF driver denial of service attempt"; flow:to_client,established; file_data; content:"|C7 45 E8 00 00 00 80 50 8D 45 D8 C7 45 F8 10 00 00 00 50 6A 10 8D 45 E8 50 6A 00 FF 75 D4 FF 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4305; reference:url,www.talosintelligence.com/reports/TALOS-2016-0167; classtype:attempted-dos; sid:39078; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Kaspersky Internet Security KLIF driver denial of service attempt"; flow:to_server,established; file_data; content:"|68 00 00 CA 00 8D 44 24 30 50 8D 86 F9 0F 00 00 50 8D 44 24 38 50 68 00 02 00 00 68 69 11 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4304; reference:url,www.talosintelligence.com/reports/TALOS-2016-0166; classtype:attempted-dos; sid:38850; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Kaspersky Internet Security KLIF driver denial of service attempt"; flow:to_client,established; file_data; content:"|68 00 00 CA 00 8D 44 24 30 50 8D 86 F9 0F 00 00 50 8D 44 24 38 50 68 00 02 00 00 68 69 11 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4304; reference:url,www.talosintelligence.com/reports/TALOS-2016-0166; classtype:attempted-dos; sid:38849; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"D|00|6|00|3|00|B|00|1|00|0|00|C|00|5|00|-|00|B|00|B|00|4|00|6|00|-|00|4|00|9|00|9|00|0|00|-|00|A|00|9|00|4|00|F|00|-|00|E|00|4|00|0|00|B|00|9|00|D|00|5|00|2|00|0|00|1|00|6|00|0|00|"; fast_pattern:only; content:"GetTypeFromCLSID"; content:"IRuntimeBroker"; content:"GetClipboardBroker"; content:"IClipboardBroker"; content:"SetClipboard"; content:"GetClipboard"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0211; classtype:attempted-user; sid:42209; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"D|00|6|00|3|00|B|00|1|00|0|00|C|00|5|00|-|00|B|00|B|00|4|00|6|00|-|00|4|00|9|00|9|00|0|00|-|00|A|00|9|00|4|00|F|00|-|00|E|00|4|00|0|00|B|00|9|00|D|00|5|00|2|00|0|00|1|00|6|00|0|00|"; fast_pattern:only; content:"GetTypeFromCLSID"; content:"IRuntimeBroker"; content:"GetClipboardBroker"; content:"IClipboardBroker"; content:"SetClipboard"; content:"GetClipboard"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0211; classtype:attempted-user; sid:42208; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt"; flow:to_server,established; file_data; content:"|50 E8 0B 9B FF FF 83 C4 0C 89 45 94 68 B6 FE FF FF 68 D3 04 00 00 68 00 00 FF 04 68 14 27 14 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0156; classtype:attempted-admin; sid:42200; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt"; flow:to_client,established; file_data; content:"|50 E8 0B 9B FF FF 83 C4 0C 89 45 94 68 B6 FE FF FF 68 D3 04 00 00 68 00 00 FF 04 68 14 27 14 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0156; classtype:attempted-admin; sid:42199; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"6|00|C|00|F|00|9|00|B|00|8|00|0|00|0|00|-|00|5|00|0|00|D|00|B|00|-|00|4|00|6|00|B|00|5|00|-|00|9|00|2|00|1|00|8|00|-|00|E|00|A|00|C|00|F|00|0|00|7|00|F|00|5|00|E|00|4|00|1|00|4|00|"; fast_pattern:only; content:"|5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|R|00|P|00|C|00 20 00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; content:"CreateCollectionSessionReplyData"; content:"|12 06 12 09 12 0A 6F 20 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0165; classtype:attempted-user; sid:42188; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"6|00|C|00|F|00|9|00|B|00|8|00|0|00|0|00|-|00|5|00|0|00|D|00|B|00|-|00|4|00|6|00|B|00|5|00|-|00|9|00|2|00|1|00|8|00|-|00|E|00|A|00|C|00|F|00|0|00|7|00|F|00|5|00|E|00|4|00|1|00|4|00|"; fast_pattern:only; content:"|5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|R|00|P|00|C|00 20 00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; content:"CreateCollectionSessionReplyData"; content:"|12 06 12 09 12 0A 6F 20 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0165; classtype:attempted-user; sid:42187; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt"; flow:to_server,established; file_data; content:"|13 06 11 06 09 72 B6 01 00 70 6F 21 00 00 0A 00 11 06 72 C2 01 00 70 72 CE 01 00 70 6F 21 00 00 0A 00 11 06 6F 22 00 00 0A 72 DC 01 00 70 1F 24 6F 23 00 00 0A 13 07 11 07 11 06 6F 24 00 00 0A 74 22 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0160; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; classtype:attempted-user; sid:42186; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt"; flow:to_client,established; file_data; content:"|13 06 11 06 09 72 B6 01 00 70 6F 21 00 00 0A 00 11 06 72 C2 01 00 70 72 CE 01 00 70 6F 21 00 00 0A 00 11 06 6F 22 00 00 0A 72 DC 01 00 70 1F 24 6F 23 00 00 0A 13 07 11 07 11 06 6F 24 00 00 0A 74 22 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0160; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; classtype:attempted-user; sid:42185; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt"; flow:to_server,established; file_data; content:"|B8 1D 11 00 00 BA 00 03 FE 7F|"; fast_pattern:only; content:"|B8 FD 10 00 00 BA 00 03 FE 7F|"; content:"|6A 11 50|"; content:"|FF|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0155; classtype:attempted-user; sid:42174; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt"; flow:to_client,established; file_data; content:"|B8 1D 11 00 00 BA 00 03 FE 7F|"; fast_pattern:only; content:"|B8 FD 10 00 00 BA 00 03 FE 7F|"; content:"|6A 11 50|"; content:"|FF|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0155; classtype:attempted-user; sid:42173; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|C7 85|"; content:"|0F 00 00 00 C7 85|"; within:6; distance:4; content:"|27 00 00 00 C7 85|"; within:6; distance:4; content:"|AE 01 00 00 C7 85|"; within:6; distance:4; content:"|0D 00 00 00 C7 85|"; within:6; distance:4; content:"|09 00 00 00 C7 85|"; within:6; distance:4; content:"|0C 00 00 00 C7 85|"; within:6; distance:4; content:"|14 00 00 00 C7 85|"; within:6; distance:4; content:"|2E 01 00 00 68 2E 01 00 00 E8|"; within:10; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0189; classtype:attempted-admin; sid:42159; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|C7 85|"; content:"|0F 00 00 00 C7 85|"; within:6; distance:4; content:"|27 00 00 00 C7 85|"; within:6; distance:4; content:"|AE 01 00 00 C7 85|"; within:6; distance:4; content:"|0D 00 00 00 C7 85|"; within:6; distance:4; content:"|09 00 00 00 C7 85|"; within:6; distance:4; content:"|0C 00 00 00 C7 85|"; within:6; distance:4; content:"|14 00 00 00 C7 85|"; within:6; distance:4; content:"|2E 01 00 00 68 2E 01 00 00 E8|"; within:10; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0189; classtype:attempted-admin; sid:42158; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k information disclosure attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 80 32 00 10 E8 88 FF FF FF 83 C4 08 8D 45 F8 B9 69 00 00 00 8B F3 BF 88 43 00 10 F3 A5 50 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0167; classtype:attempted-admin; sid:42155; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k information disclosure attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 80 32 00 10 E8 88 FF FF FF 83 C4 08 8D 45 F8 B9 69 00 00 00 8B F3 BF 88 43 00 10 F3 A5 50 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0167; classtype:attempted-admin; sid:42154; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,blog.talosintelligence.com/2017/05/wannacry.html; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41978; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:13; offset:4; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:38; content:"|00 00 00 00 00|"; within:5; distance:6; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx; classtype:policy-violation; sid:42256; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt"; flow:to_server,established; content:"|08 E0 00 00 00 00|"; depth:6; offset:4; content:"|0D 0A|"; within:2; distance:1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:policy-violation; sid:42255; rev:4;)
# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5; content:"|08|"; within:1; distance:8; byte_test:2,<,500,10,relative,little; byte_test:2,>,15500,14,relative,little; byte_test:2,<,16000,14,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:42294; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42340; rev:4;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory"; flow:to_client,established; content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3; distance:5; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42339; rev:3;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt"; flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; content:"|05 00|"; within:2; distance:64; byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42338; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"P|00|r|00|i|00|m|00|a|00|r|00|y|00|K|00|e|00|y|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42446; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"A|00|O|00|I|00|n|00|d|00|e|00|x|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42445; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"O|00|b|00|j|00|e|00|c|00|t|00|I|00|d|00|"; distance:0; fast_pattern; nocase; content:!"A|00|t|00|t|00|r|00|i|00|b|00|u|00|t|00|e"; within:17; nocase; content:!"O|00|r|00|d|00|e|00|r|00|"; within:10; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42444; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"P|00|a|00|r|00|e|00|n|00|t|00|I|00|d|00|n|00|a|00|m|00|e|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42443; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"P|00|r|00|i|00|m|00|a|00|r|00|y|00|K|00|e|00|y|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42442; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"A|00|O|00|I|00|n|00|d|00|e|00|x|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42441; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"O|00|b|00|j|00|e|00|c|00|t|00|I|00|d|00|"; distance:0; fast_pattern; nocase; content:!"A|00|t|00|t|00|r|00|i|00|b|00|u|00|t|00|e"; within:17; nocase; content:!"O|00|r|00|d|00|e|00|r|00|"; within:10; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:42440; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt"; flow:to_server,established; file_data; content:"|8D 44 24 18 C7 44 24 28 01 00 00 00 50 6A 10 8D 44 24 30 C7 44 24 3C 00 00 00 00 50 6A 00 56 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0258; classtype:attempted-admin; sid:42784; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt"; flow:to_client,established; file_data; content:"|8D 44 24 18 C7 44 24 28 01 00 00 00 50 6A 10 8D 44 24 30 C7 44 24 3C 00 00 00 00 50 6A 00 56 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0258; classtype:attempted-admin; sid:42783; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows COM privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|50 68 FF 01 0F 00 FF 15|"; content:"|50 FF 15|"; within:3; distance:4; content:"|50 6A 01 6A 00 6A 00 68 FF 01 0F 00 FF 75|"; distance:0; content:"|FF 15|"; within:2; distance:1; metadata:service smtp; reference:cve,2017-0213; classtype:attempted-admin; sid:42774; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows COM privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|50 68 FF 01 0F 00 FF 15|"; content:"|50 FF 15|"; within:3; distance:4; content:"|50 6A 01 6A 00 6A 00 68 FF 01 0F 00 FF 75|"; distance:0; content:"|FF 15|"; within:2; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0213; classtype:attempted-admin; sid:42773; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt"; flow:to_server,established; file_data; content:"|6A 00 68 70 21 40 00 6A 00 8B F0 FF 15 04 20 40 00 50 FF 15 00 20 40 00 56 8B F8 E8 F2 FE FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0246; classtype:attempted-admin; sid:42772; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt"; flow:to_client,established; file_data; content:"|6A 00 68 70 21 40 00 6A 00 8B F0 FF 15 04 20 40 00 50 FF 15 00 20 40 00 56 8B F8 E8 F2 FE FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0246; classtype:attempted-admin; sid:42771; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k kernel memory leak attempt"; flow:to_server,established; file_data; content:"|64 A1 30 00 00 00 8B 40 2C|"; fast_pattern; content:"|6A 04 68|"; within:25; content:"|FF|"; within:10; content:"|C7|"; content:"|14 01 00 00|"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0245; classtype:attempted-user; sid:42770; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k kernel memory leak attempt"; flow:to_client,established; file_data; content:"|64 A1 30 00 00 00 8B 40 2C|"; fast_pattern; content:"|6A 04 68|"; within:25; content:"|FF|"; within:10; content:"|C7|"; content:"|14 01 00 00|"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0245; classtype:attempted-user; sid:42769; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt"; flow:to_server,established; file_data; content:"|6A 00 8D 4C 24 10 C7 84 24 CC 01 00 00 00 00 00 00 51 6A 14 8D 8C 24 D4 01 00 00 C7 84 24 D8 01 00 00 00 00 37 13 51 6A 14 51 68 03 20 01 00 50 C7 84 24 F0 01 00 00 00 00 00 00 C7 84 24 F4 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,2017-0175; classtype:attempted-admin; sid:42768; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt"; flow:to_client,established; file_data; content:"|6A 00 8D 4C 24 10 C7 84 24 CC 01 00 00 00 00 00 00 51 6A 14 8D 8C 24 D4 01 00 00 C7 84 24 D8 01 00 00 00 00 37 13 51 6A 14 51 68 03 20 01 00 50 C7 84 24 F0 01 00 00 00 00 00 00 C7 84 24 F4 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,2017-0175; classtype:attempted-admin; sid:42767; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft win32k privilege escalation attempt"; flow:to_server,established; file_data; content:"|68 33 C0 33 C0 68 F8 01 00 00|"; fast_pattern; content:"|FF|"; within:10; content:"|6A FF 68 FC 01 00 00|"; within:25; content:"|FF|"; within:10; content:"|6A 00 6A 00 68|"; content:"|FF|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0263; classtype:attempted-admin; sid:42766; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft win32k privilege escalation attempt"; flow:to_client,established; file_data; content:"|68 33 C0 33 C0 68 F8 01 00 00|"; fast_pattern; content:"|FF|"; within:10; content:"|6A FF 68 FC 01 00 00|"; within:25; content:"|FF|"; within:10; content:"|6A 00 6A 00 68|"; content:"|FF|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0263; classtype:attempted-admin; sid:42765; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt"; flow:to_server,established; file_data; content:"|66 0F D6 44 24 6C C7 44 24 2C 00 00 00 00 C7 44 24 30 39 00 00 00 C7 44 24 34 00 00 00 00 E8 9E 16 00 00 8B 3D 20 F1 42 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0259; classtype:attempted-recon; sid:42764; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt"; flow:to_client,established; file_data; content:"|66 0F D6 44 24 6C C7 44 24 2C 00 00 00 00 C7 44 24 30 39 00 00 00 C7 44 24 34 00 00 00 00 E8 9E 16 00 00 8B 3D 20 F1 42 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0259; classtype:attempted-recon; sid:42763; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows COM privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|39 00 45 00 31 00 37 00 35 00 42 00 36 00 38 00 2D 00 46 00 35 00 32 00 41 00 2D 00 31 00 31 00 44 00 38 00 2D 00 42 00 39 00 41 00 35 00 2D 00 35 00 30 00 35 00 30 00 35 00 34 00 35 00 30 00 33 00 30 00 33 00 30|"; fast_pattern:only; content:"CreateFileMoniker"; nocase; content:"System.Runtime.InteropServices.ComTypes"; nocase; content:"IRunningObjectTable"; nocase; content:"GetRunningObjectTable"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0214; classtype:attempted-admin; sid:42760; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows COM privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|39 00 45 00 31 00 37 00 35 00 42 00 36 00 38 00 2D 00 46 00 35 00 32 00 41 00 2D 00 31 00 31 00 44 00 38 00 2D 00 42 00 39 00 41 00 35 00 2D 00 35 00 30 00 35 00 30 00 35 00 34 00 35 00 30 00 33 00 30 00 33 00 30|"; fast_pattern:only; content:"CreateFileMoniker"; nocase; content:"System.Runtime.InteropServices.ComTypes"; nocase; content:"IRunningObjectTable"; nocase; content:"GetRunningObjectTable"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0214; classtype:attempted-admin; sid:42759; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt"; flow:to_server,established; file_data; content:"|C7 85 F8 FD FF FF 90 90 90 90 8D 85 14 FE FF FF 89 85 FC FD FF FF C7 85 00 FE FF FF 60 00 00 00 C7 85 08 FE FF FF 00 00 00 00 8B 85 90 FE FF FF 89 85 C0 FD FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0077; classtype:attempted-admin; sid:42758; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt"; flow:to_client,established; file_data; content:"|C7 85 F8 FD FF FF 90 90 90 90 8D 85 14 FE FF FF 89 85 FC FD FF FF C7 85 00 FE FF FF 60 00 00 00 C7 85 08 FE FF FF 00 00 00 00 8B 85 90 FE FF FF 89 85 C0 FD FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0077; classtype:attempted-admin; sid:42757; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 00 6A 00 68 50 10 40 00 6A 00 6A 00 FF 15 04 F0 42 00 8B 35 00 F0 42 00|"; content:"|6A 00 8D 44 24 10 50 6A 14 68 F0 F7 43 00 6A 14 68 F0 F7 43 00 68 03 20 01 00 57 FF D6 EB E1|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0220; classtype:attempted-admin; sid:42752; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 6A 00 6A 00 68 50 10 40 00 6A 00 6A 00 FF 15 04 F0 42 00 8B 35 00 F0 42 00|"; content:"|6A 00 8D 44 24 10 50 6A 14 68 F0 F7 43 00 6A 14 68 F0 F7 43 00 68 03 20 01 00 57 FF D6 EB E1|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0220; classtype:attempted-admin; sid:42751; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_server,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42821; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_client,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42820; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows RRAS MIBEntryGet buffer overflow attempt"; flow:established,to_server; dce_iface:8f09f000-b7ed-11ce-bbd2-00001a181cad; dce_opnum:29; dce_stub_data; content:"|21 00 00 00 10 27 00 00|"; depth:8; isdataat:1300,relative; metadata:service netbios-ssn; reference:url,virustotal.com/en/file/3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052/analysis/; classtype:attempted-user; sid:42865; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; content:"|01 00 00 00 00|"; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:42944; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt"; flow:to_server,established; file_data; content:"<%"; content:"Dim"; within:100; nocase; content:"RegExp"; distance:0; nocase; content:".Pattern"; distance:0; fast_pattern; content:"|5C 22|"; within:50; metadata:service smtp; reference:bugtraq,74522; reference:cve,2015-1684; classtype:policy-violation; sid:43818; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"Dim"; within:100; nocase; content:"RegExp"; distance:0; nocase; content:".Pattern"; distance:0; fast_pattern; content:"|5C 22|"; within:50; metadata:service smtp; reference:bugtraq,74522; reference:cve,2015-1684; classtype:policy-violation; sid:43817; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt"; flow:to_client,established; file_data; content:"<%"; content:"Dim"; within:100; nocase; content:"RegExp"; distance:0; nocase; content:".Pattern"; distance:0; fast_pattern; content:"|5C 22|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74522; reference:cve,2015-1684; classtype:policy-violation; sid:43816; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"Dim"; within:100; nocase; content:"RegExp"; distance:0; nocase; content:".Pattern"; distance:0; fast_pattern; content:"|5C 22|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74522; reference:cve,2015-1684; classtype:policy-violation; sid:43815; rev:1;)
# alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"mscormmc.dll"; fast_pattern:only; content:"user32.dll"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,77482; reference:cve,2015-6115; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-118; classtype:attempted-user; sid:43792; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"mscormmc.dll"; fast_pattern:only; content:"user32.dll"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,77482; reference:cve,2015-6115; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-118; classtype:attempted-user; sid:43791; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt"; flow:to_server,established; file_data; content:"BEGIN:VCARD"; nocase; content:"TEL|3B|"; distance:0; nocase; content:"style"; distance:0; nocase; content:"c:expression"; distance:0; fast_pattern; nocase; content:"|0D 0A|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-048; classtype:attempted-user; sid:43732; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt"; flow:to_client,established; file_data; content:"BEGIN:VCARD"; nocase; content:"TEL|3B|"; distance:0; nocase; content:"style"; distance:0; nocase; content:"c:expression"; distance:0; fast_pattern; nocase; content:"|0D 0A|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-048; classtype:attempted-user; sid:43731; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt"; flow:to_server,established; file_data; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; distance:0; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; distance:0; content:"|0A 00 00 00 41 B9 0A 00 00 00 4C 8B C0|"; distance:0; content:"|FF 15|"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8577; classtype:attempted-admin; sid:43491; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; distance:0; content:"|41 B9 01 00 00 00 41 B8 01 00 00 00 33 D2 33 C9 FF 15|"; distance:0; content:"|0A 00 00 00 41 B9 0A 00 00 00 4C 8B C0|"; distance:0; content:"|FF 15|"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8577; classtype:attempted-admin; sid:43490; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt"; flow:to_server,established; file_data; content:"|C7 84 24 80 00 00 00 8F 19 00 00 C7 84 24 84 00 00 00 5A 7F FD FF C7 84 24 88 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8578; classtype:attempted-admin; sid:43474; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt"; flow:to_client,established; file_data; content:"|C7 84 24 80 00 00 00 8F 19 00 00 C7 84 24 84 00 00 00 5A 7F FD FF C7 84 24 88 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8578; classtype:attempted-admin; sid:43473; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_server,established; content:".bat"; nocase; file_data; content:":|5C|$mft"; fast_pattern:only; metadata:service smtp; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43387; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_client,established; flowbits:isset,file.bat; file_data; content:":|5C|$mft"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43386; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected"; flow:to_client,established; file_data; content:"|0F FF F0 00 00 00 00|"; content:"|FF FF FF FF|"; content:"|33|"; within:30; content:"|D1|"; within:75; content:"|81|"; within:10; content:"|20 83 B8 ED 33|"; within:5; distance:1; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8558; classtype:attempted-admin; sid:43381; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected"; flow:to_server,established; file_data; content:"|0F FF F0 00 00 00 00|"; content:"|FF FF FF FF|"; content:"|33|"; within:30; content:"|D1|"; within:75; content:"|81|"; within:10; content:"|20 83 B8 ED 33|"; within:5; distance:1; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8558; classtype:attempted-admin; sid:43380; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_server,established; file_data; content:"src"; nocase; content:"$mft"; within:45; fast_pattern; nocase; metadata:service smtp; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43278; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_client,established; file_data; content:"src"; nocase; content:"$mft"; within:45; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43277; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"$mft"; within:45; fast_pattern; nocase; metadata:service smtp; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43276; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MFT denial of service attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"$mft"; within:45; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,98729; reference:url,securityfocus.com/bid/98729/info; classtype:denial-of-service; sid:43275; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt"; flow:to_server,established; file_data; content:"|00 00 00 00 70 00 00 57 00 00 00 00 40 00 00 A0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,24778; reference:cve,2007-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-040; classtype:attempted-dos; sid:43226; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 70 00 00 57 00 00 00 00 40 00 00 A0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24778; reference:cve,2007-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-040; classtype:attempted-dos; sid:43225; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|0B 00|"; within:2; distance:6; content:"|CC 00 00 00 00 00 00 00|"; within:8; distance:106; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x700,16,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-8543; classtype:attempted-admin; sid:43176; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|0B 00|"; within:2; distance:6; content:"|D0 00 00 00 00 00 00 00|"; within:8; distance:106; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x700,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-8543; classtype:attempted-admin; sid:43175; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt"; flow:to_server,established; file_data; content:"|6A 58|"; content:"|6A 00|"; within:6; content:"|E8|"; within:1; distance:1; content:"|C7|"; distance:0; content:"|04 00 C7|"; within:4; distance:4; fast_pattern; content:"|00 00 6A|"; within:4; distance:4; content:"|6A 00|"; within:2; distance:1; content:"|6A|"; distance:0; content:"|6A 00|"; within:2; distance:1; content:"|C7|"; distance:0; content:"|00 10 00 00|"; within:6; distance:2; content:"|01 00 00 00|"; within:36; content:"|01 00 00 00|"; within:28; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8465; reference:cve,2017-8466; reference:cve,2017-8468; classtype:attempted-user; sid:43174; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt"; flow:to_client,established; file_data; content:"|6A 58|"; content:"|6A 00|"; within:6; content:"|E8|"; within:1; distance:1; content:"|C7|"; distance:0; content:"|04 00 C7|"; within:4; distance:4; fast_pattern; content:"|00 00 6A|"; within:4; distance:4; content:"|6A 00|"; within:2; distance:1; content:"|6A|"; distance:0; content:"|6A 00|"; within:2; distance:1; content:"|C7|"; distance:0; content:"|00 10 00 00|"; within:6; distance:2; content:"|01 00 00 00|"; within:36; content:"|01 00 00 00|"; within:28; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8465; reference:cve,2017-8466; reference:cve,2017-8468; classtype:attempted-user; sid:43173; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIXXAYJKoZIhvcNAQcCoIIXTTCCF0kC"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0215; classtype:attempted-user; sid:43158; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIXXAYJKoZIhvcNAQcCoIIXTTCCF0kC"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0215; classtype:attempted-user; sid:43157; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt"; flow:to_server,established; file_data; content:".toString = function|28 29|"; fast_pattern:only; content:".valueOf=function|28 29|"; content:"String.prototype.slice.call"; content:"eval|28|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8540; reference:cve,2017-8541; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8540; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8541; classtype:attempted-admin; sid:43057; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt"; flow:to_client,established; file_data; content:".toString = function|28 29|"; fast_pattern:only; content:".valueOf=function|28 29|"; content:"String.prototype.slice.call"; content:"eval|28|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8540; reference:cve,2017-8541; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8540; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8541; classtype:attempted-admin; sid:43056; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows IIS buffer overflow attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"Content-Type|3A| text/xml"; fast_pattern:only; http_header; pkt_data; isdataat:1000; content:!"<?xml"; nocase; metadata:service http; reference:url,virustotal.com/en/file/2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8/analysis/; classtype:attempted-user; sid:43054; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 41 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2007-1347; classtype:attempted-user; sid:43966; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 41 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-1347; classtype:attempted-user; sid:43965; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 00 00 00 00 00 00 00 00 00 0E 00 00 00 14 00 00 00 41 00 00 00 41 42 43 44 00 00 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44132; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 00 00 00 00 00 00 0E 00 00 00 14 00 00 00 41 00 00 00 41 42 43 44 00 00 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44131; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00 00 00 00 00 A1 21 EC 29 EC 09 00 00 00 00 B0 56 01 00 09 00 00 03 0E 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44130; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_server,established; file_data; content:"|D7 CD C6 9A 00 00 00 00 00 00 A1 21 EC 29 EC 09 00 00 00 00 B0 56 01 00 09 00 00 03 0E 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44129; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"#:"; within:50; content:"../../"; within:25; fast_pattern; pcre:"/\<iframe\s+?[^\>]*?src\s*?=\s*?[\x22\x27]?[^\>\x22\x27]*#:/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:44218; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"#:"; within:50; content:"../../"; within:25; fast_pattern; pcre:"/\<iframe\s+?[^\>]*?src\s*?=\s*?[\x22\x27]?[^\>\x22\x27]*#:/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:44217; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"#:"; within:50; content:"../../"; within:25; fast_pattern; pcre:"/\<a\s+?[^\>]*?href\s*?=\s*?[\x22\x27]?[^\>\x22\x27]*#:/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-007; classtype:attempted-user; sid:44216; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft DirectShow memory corruption attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; content:"AVI"; within:4; distance:4; content:"strf"; distance:0; content:"|28 00 00 00|"; within:4; distance:4; byte_test:4,>,256,28,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-013; classtype:attempted-user; sid:44306; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft DirectShow memory corruption attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"AVI"; within:4; distance:4; content:"strf"; distance:0; content:"|28 00 00 00|"; within:4; distance:4; byte_test:4,>,256,28,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-013; classtype:attempted-user; sid:44305; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt"; flow:to_server,established; file_data; content:"|04|orn3|04|o|08|altslt2|05|ealt|05|aalt2|05|ealt2|05|h"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8682; classtype:attempted-admin; sid:44336; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt"; flow:to_client,established; file_data; content:"|04|orn3|04|o|08|altslt2|05|ealt|05|aalt2|05|ealt2|05|h"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8682; classtype:attempted-admin; sid:44335; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CreateMenu use after free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtUserThunkedMenuItemInfo"; fast_pattern:only; content:"CreateMenu"; content:"CreatePopupMenu"; content:"InsertMenuItemW"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0056; reference:cve,2017-8689; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:44517; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CreateMenu use after free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtUserThunkedMenuItemInfo"; fast_pattern:only; content:"CreateMenu"; content:"CreatePopupMenu"; content:"InsertMenuItemW"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0056; reference:cve,2017-8689; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:44516; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|3A D6 FF FF F3 A5 68 A7 19 00 00 6A 00 50 66 A5 E8 DB 17 00 00 A0 6C E6 43 00 83 C4 0C F3 0F 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8694; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8694; classtype:attempted-admin; sid:44515; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|3A D6 FF FF F3 A5 68 A7 19 00 00 6A 00 50 66 A5 E8 DB 17 00 00 A0 6C E6 43 00 83 C4 0C F3 0F 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8694; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8694; classtype:attempted-admin; sid:44514; rev:2;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt"; flow:to_client; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 01|"; distance:0; content:"|00 32 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_test:1,>,100,0,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-11779; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11779; classtype:attempted-user; sid:44630; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt"; flow:to_client; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 01|"; distance:0; content:"|00 32 00 01|"; within:4; distance:2; byte_test:1,>,100,10,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-11779; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11779; classtype:attempted-user; sid:44629; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt"; flow:to_client; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 01|"; distance:0; content:"|00 32 00 01|"; within:4; distance:2; byte_extract:2,4,rr_size,relative; isdataat:rr_size,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-11779; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11779; classtype:attempted-user; sid:44628; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|49 8B CA B8 DD 12 00 00 0F 05 C3 CC CC CC CC CC 48 89 4C 24 08 48 83 EC 38 48 8D 05 20 FA 06 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11847; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11847; classtype:attempted-user; sid:44834; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|49 8B CA B8 DD 12 00 00 0F 05 C3 CC CC CC CC CC 48 89 4C 24 08 48 83 EC 38 48 8D 05 20 FA 06 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11847; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11847; classtype:attempted-user; sid:44833; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"|3C 20 30 78 37 66 66 66 66 66 66 66 3B 29 20 7B 0D 0A 20 20 20 20 20 20 20 20 61 72 72 5B 2B 2B 69 5D 20 3D 20 30 78 31 32 33 34 3B|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11861; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8179; classtype:attempted-admin; sid:44826; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"|3C 20 30 78 37 66 66 66 66 66 66 66 3B 29 20 7B 0D 0A 20 20 20 20 20 20 20 20 61 72 72 5B 2B 2B 69 5D 20 3D 20 30 78 31 32 33 34 3B|"; metadata:service smtp; reference:cve,2017-11861; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8179; classtype:attempted-admin; sid:44825; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt"; flow:to_server,established; content:"|FE|SMB"; content:"|09 00|"; within:2; distance:8; content:"|05 00 00|"; within:3; distance:98; content:"|1E 00 21 00 00 00 10 27 00 00|"; within:10; distance:19; content:"|04 00 00 00|"; within:4; distance:8; byte_test:4,>,35,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2017-11885; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11885; classtype:attempted-user; sid:45131; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt"; flow:to_server,established; dce_iface:8f09f000-b7ed-11ce-bbd2-00001a181cad; dce_opnum:30; dce_stub_data; content:"|21 00 00 00 10 27 00 00|"; depth:8; content:"|04 00 00 00|"; within:4; distance:8; byte_test:4,>,35,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2017-11885; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11885; classtype:attempted-user; sid:45130; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_server,established; file_data; content:"|22|.cmd"; nocase; pcre:"/(mailto|telnet|news|nntp|snews|http)\x3A[^\n]*\x25[^\n]*\x22\x2Ecmd/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:45175; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt"; flow:to_server,established; file_data; content:"|C7 45 DF 09 A8 A1 7C C7 45 E3 09 D8 A1 40 C7 45 E7 09 B1 95 8D C7 45 EB C0 A1 30 C0 C7 45 EF A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0842; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0842; classtype:attempted-user; sid:45657; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt"; flow:to_client,established; file_data; content:"|C7 45 DF 09 A8 A1 7C C7 45 E3 09 D8 A1 40 C7 45 E7 09 B1 95 8D C7 45 EB C0 A1 30 C0 C7 45 EF A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0842; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0842; classtype:attempted-user; sid:45656; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|03 45 E8 8B 08 89 4D D0 8B 45 D0 8B 4D DC 8D 54 01 33 89 55 C4 8B F4 8D 45 F4 50 6A 04 68 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0742; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0742; classtype:attempted-user; sid:45650; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|03 45 E8 8B 08 89 4D D0 8B 45 D0 8B 4D DC 8D 54 01 33 89 55 C4 8B F4 8D 45 F4 50 6A 04 68 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0742; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0742; classtype:attempted-user; sid:45649; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"win32u.dll"; fast_pattern:only; content:"NtUserInitializePointerDeviceInjection"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0756; reference:cve,2019-0814; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0814; classtype:attempted-admin; sid:45635; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"win32u.dll"; fast_pattern:only; content:"|73 03 00 00 00 00 00 80|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0756; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756; classtype:attempted-admin; sid:45634; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"win32u.dll"; fast_pattern:only; content:"|73 03 00 00 00 00 00 80|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0756; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756; classtype:attempted-admin; sid:45633; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"win32u.dll"; fast_pattern:only; content:"NtUserInitializePointerDeviceInjection"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0756; reference:cve,2019-0814; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0814; classtype:attempted-admin; sid:45632; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"|4C 20 20 20 01 14 02 20 20 20 20 20 C0 20 20 20 20 20 20 46 81 20 08 20|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0825; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0825; classtype:attempted-user; sid:45625; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"|4C 20 20 20 01 14 02 20 20 20 20 20 C0 20 20 20 20 20 20 46 81 20 08 20|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0825; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0825; classtype:attempted-user; sid:45624; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 8B 45 08 8D 55 0C CD 2E 5D C3|"; fast_pattern:only; content:"|6A 00 6A 00 6A 00 68|"; content:"|68 00 01 00 00 6A 01 68|"; within:8; distance:4; content:"|00 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0832; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0832; classtype:attempted-recon; sid:45808; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 8B 45 08 8D 55 0C CD 2E 5D C3|"; fast_pattern:only; content:"|6A 00 6A 00 6A 00 68|"; content:"|68 00 01 00 00 6A 01 68|"; within:8; distance:4; content:"|00 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0832; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0832; classtype:attempted-recon; sid:45807; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt"; flow:to_client,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-0833; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833; classtype:denial-of-service; sid:45854; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt"; flow:to_server,established; file_data; content:"USERPROFILE|5C|appdata|5C|local|5C|Packages|5C|Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0880; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0880; classtype:attempted-admin; sid:45903; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt"; flow:to_client,established; file_data; content:"USERPROFILE|5C|appdata|5C|local|5C|Packages|5C|Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0880; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0880; classtype:attempted-admin; sid:45902; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|72 2E 01 00 70 72 60 01 00 70 1F 24 28 20 00 00 0A 72 6A 01 00 70 28 21 00 00 0A 1F 10 28 22 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0882; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0882; classtype:attempted-admin; sid:45901; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|72 2E 01 00 70 72 60 01 00 70 1F 24 28 20 00 00 0A 72 6A 01 00 70 28 21 00 00 0A 1F 10 28 22 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0882; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0882; classtype:attempted-admin; sid:45900; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt"; flow:to_client,established; file_data; content:"|8B CF 44 8D 4A 12 FF 15 57 AF 00 00 48 8B CB 48 8B 5C 24 70 48 83 C4 60 5F 48 FF 25 33 AF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0817; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0817; classtype:attempted-admin; sid:45882; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt"; flow:to_server,established; file_data; content:"|8B CF 44 8D 4A 12 FF 15 57 AF 00 00 48 8B CB 48 8B 5C 24 70 48 83 C4 60 5F 48 FF 25 33 AF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0817; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0817; classtype:attempted-admin; sid:45881; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt"; flow:to_server,established; file_data; content:"|2B 6F 2F 00 00 0A 72 56 01 00 70 06 28 02 00 00 2B 72 6C 01 00 70 1F 25 28 20 00 00 0A 72 82 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0877; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0877; classtype:attempted-admin; sid:45874; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt"; flow:to_client,established; file_data; content:"|2B 6F 2F 00 00 0A 72 56 01 00 70 06 28 02 00 00 2B 72 6C 01 00 70 1F 25 28 20 00 00 0A 72 82 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0877; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0877; classtype:attempted-admin; sid:45873; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:111; content:"|FA FF FF|"; within:3; distance:108; content:"|FA FF FF|"; distance:0; byte_extract:4,28,ids; byte_test:4,=,ids,242,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,240,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45978; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:127; content:"|FF FF FF FF|"; within:4; distance:123; byte_extract:4,28,ids; byte_test:4,=,ids,174,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,172,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45977; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 FF FF 00 01 00 00 00 01 6B 65 72 6E 00 08 00 00 00 01 00 00 00 01 00 04 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1012; reference:url,portal.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1012; classtype:attempted-admin; sid:46231; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt"; flow:to_server,established; file_data; content:"|1E 00 00 00 FF FF 00 01 00 00 00 01 6B 65 72 6E 00 08 00 00 00 01 00 00 00 01 00 04 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1012; reference:url,portal.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1012; classtype:attempted-admin; sid:46230; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|02 D8 00 22 02 2A 00 00 03 29 A5 00 77 25 00 00 04 C1 00 00 03 37 37 37 37 3A 00 00 02 DC 00 26 03 33 00 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1015; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1015; classtype:attempted-user; sid:46215; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|02 D8 00 22 02 2A 00 00 03 29 A5 00 77 25 00 00 04 C1 00 00 03 37 37 37 37 3A 00 00 02 DC 00 26 03 33 00 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1015; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1015; classtype:attempted-user; sid:46214; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|03 66 03 71 03 7D 03 85 17 6F DD 0B D1 66 1D 5B 9A 57 E1 CC 03 CB 03 D5 03 DF 03 E8 03 F4 03 FE 00 04 00 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1010; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1010; classtype:attempted-user; sid:46201; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|03 66 03 71 03 7D 03 85 17 6F DD 0B D1 66 1D 5B 9A 57 E1 CC 03 CB 03 D5 03 DF 03 E8 03 F4 03 FE 00 04 00 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1010; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1010; classtype:attempted-user; sid:46200; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Total Meltdown side-channel information leak attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 D0 BE 7D FB F6 FF FF|"; content:"|00 00 A0 7D FB F6 FF FF|"; content:"|00 00 00 40 FB F6 FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1038; reference:url,blog.xpnsec.com/total-meltdown-cve-2018-1038/; classtype:attempted-admin; sid:46432; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Total Meltdown side-channel information leak attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 D0 BE 7D FB F6 FF FF|"; content:"|00 00 60 82 04 09 00 00|"; content:"|00 00 00 40 FB F6 FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1038; reference:url,blog.xpnsec.com/total-meltdown-cve-2018-1038/; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038; classtype:attempted-admin; sid:46431; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Total Meltdown side-channel information leak attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 D0 BE 7D FB F6 FF FF|"; content:"|00 00 A0 7D FB F6 FF FF|"; content:"|00 00 00 40 FB F6 FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1038; reference:url,blog.xpnsec.com/total-meltdown-cve-2018-1038/; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038; classtype:attempted-admin; sid:46430; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Total Meltdown side-channel information leak attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 D0 BE 7D FB F6 FF FF|"; content:"|00 00 60 82 04 09 00 00|"; content:"|00 00 00 40 FB F6 FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1038; reference:url,blog.xpnsec.com/total-meltdown-cve-2018-1038/; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038; classtype:attempted-admin; sid:46429; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows XXE information disclosure attempt"; flow:to_server,established; file_data; content:"<!ENTITY % file SYSTEM |22|C:"; nocase; content:"<!ENTITY % dtd SYSTEM |22|http://"; within:150; nocase; content:"%dtd|3B|]"; within:150; nocase; metadata:service smtp; reference:cve,2017-8710; classtype:attempted-admin; sid:46420; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows XXE information disclosure attempt"; flow:to_client,established; file_data; content:"<!ENTITY % file SYSTEM |22|C:Windows"; nocase; content:"<!ENTITY % dtd SYSTEM |22|http://"; within:150; nocase; content:"%dtd|3B|]"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-8710; classtype:attempted-admin; sid:46419; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-WINDOWS Attempted DNS overflow"; flow:to_server; content:"|81 A0|"; depth:2; offset:2; content:"|00 32 00 01 00 00 0E 0F|"; distance:0; byte_extract:2,0,rr_size,relative; content:"|01 00 00 05|"; within:4; isdataat:!rr_size,relative; reference:cve,2017-11779; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11779; classtype:denial-of-service; sid:46409; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt"; flow:to_server,established; file_data; content:"|EB 52 90|NTFS"; depth:7; content:"|66 83 3E 3A 02 00 0F 84 30 FD 66 8B 1E 3A 02 1E 07 66 8B 3E 4A 02 66 A1 2E 02 E8 ED 01 E8 2C 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:denial-of-service; sid:46467; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt"; flow:to_client,established; file_data; content:"|EB 52 90|NTFS"; depth:7; content:"|66 83 3E 3A 02 00 0F 84 30 FD 66 8B 1E 3A 02 1E 07 66 8B 3E 4A 02 66 A1 2E 02 E8 ED 01 E8 2C 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:denial-of-service; sid:46466; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 30|"; content:"|00 1C 00 20 00 04 00 18|"; within:8; distance:2; content:"|FF FF FF FF|"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,93377; reference:cve,2016-3393; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2016-3393; classtype:attempted-admin; sid:46504; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 30|"; content:"|00 1C 00 20 00 04 00 18|"; within:8; distance:2; content:"|FF FF FF FF|"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,93377; reference:cve,2016-3393; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2016-3393; classtype:attempted-admin; sid:46503; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68|"; content:"|00 00|"; within:2; distance:2; content:"|68 32 68 07 80|"; within:50; content:"|81|"; within:15; content:"|00 00|"; within:2; distance:3; content:"|83|"; within:15; content:"|01 75|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8167; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8167; classtype:attempted-admin; sid:46604; rev:1;)
alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68|"; content:"|00 00|"; within:2; distance:2; content:"|68 32 68 07 80|"; within:50; content:"|81|"; within:15; content:"|00 00|"; within:2; distance:3; content:"|83|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8167; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8167; classtype:attempted-admin; sid:46603; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS dxgkrnl.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|C7 85 D0 06 00 00 FF FF FF FF 48 8D 85 10 01 00 00 48 89 85 08 07 00 00 48 8B 8D 08 07 00 00 E8 62 C8 FF FF 33 C0 8B F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8165; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8165; classtype:attempted-admin; sid:46597; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS dxgkrnl.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|C7 85 D0 06 00 00 FF FF FF FF 48 8D 85 10 01 00 00 48 89 85 08 07 00 00 48 8B 8D 08 07 00 00 E8 62 C8 FF FF 33 C0 8B F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8165; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8165; classtype:attempted-admin; sid:46596; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|66 A1 24 FD 40 00 F3 0F 6F 05 14 FD 40 00 83 4D B4 20 66 89 45 F0 8D 45 E0 89 45 D8 8D 45 B0 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8166; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8166; classtype:attempted-admin; sid:46565; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|66 A1 24 FD 40 00 F3 0F 6F 05 14 FD 40 00 83 4D B4 20 66 89 45 F0 8D 45 E0 89 45 D8 8D 45 B0 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8166; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8166; classtype:attempted-admin; sid:46564; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|41 B9 00 00 00 80 48 89 44 24 48 33 C9 48 89 44 24 40 C7 44 24 38 34 02 00 00 C7 44 24 30 23 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8164; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8164; classtype:attempted-admin; sid:46563; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 B9 00 00 00 80 48 89 44 24 48 33 C9 48 89 44 24 40 C7 44 24 38 34 02 00 00 C7 44 24 30 23 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8164; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8164; classtype:attempted-admin; sid:46562; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt"; flow:to_server,established; file_data; content:"|BA 00 03 FE 7F FF 12 C2 04 00|"; fast_pattern:only; content:"|26 12 00 00|"; content:"|50 01 00 00|"; within:4; distance:6; content:"|B8 00 00 00|"; within:4; distance:6; content:"|6C 01 00 00|"; within:4; distance:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8120; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120; classtype:attempted-admin; sid:46547; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt"; flow:to_client,established; file_data; content:"|BA 00 03 FE 7F FF 12 C2 04 00|"; fast_pattern:only; content:"|26 12 00 00|"; content:"|50 01 00 00|"; within:4; distance:6; content:"|B8 00 00 00|"; within:4; distance:6; content:"|6C 01 00 00|"; within:4; distance:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8120; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120; classtype:attempted-admin; sid:46546; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|81 FA CD AB 00 00 75 40 48 8B 05 EA D1 03 00 45 33 C9 48 8B 0D B0 D1 03 00 45 33 C0 48 C7 44 24 28 00 00 00 00 33 D2 48 89 44 24 20 FF 15 F7 49 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8124; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8124; classtype:attempted-admin; sid:46539; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|81 FA CD AB 00 00 75 40 48 8B 05 EA D1 03 00 45 33 C9 48 8B 0D B0 D1 03 00 45 33 C0 48 C7 44 24 28 00 00 00 00 33 D2 48 89 44 24 20 FF 15 F7 49 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8124; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8124; classtype:attempted-admin; sid:46538; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|E6 3E 3F 2B 3F 66 FB F2 D9 97 45 BA BF F8 6C FB 00 C9 1F F7 5F FE 2F 36 77 97 F8 39 5D FD 9B E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8120; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120; classtype:attempted-admin; sid:46755; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|E6 3E 3F 2B 3F 66 FB F2 D9 97 45 BA BF F8 6C FB 00 C9 1F F7 5F FE 2F 36 77 97 F8 39 5D FD 9B E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8120; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120; classtype:attempted-admin; sid:46754; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Malicious vbscript download attempt"; flow:to_client,established; file_data; content:"Function Base64Decode(ByVal base64String)"; fast_pattern:only; nocase; content:"execute("; nocase; content:"Base64Decode("; within:50; nocase; isdataat:300; content:!"|0D|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46794; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Malicious zip download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"exe.png"; within:7; distance:42; nocase; content:"PK|01 02|"; content:"pp.png"; within:6; distance:42; nocase; content:"PK|01 02|"; content:"ex.png"; within:6; distance:42; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46793; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel privilege escalation attempt"; flow:to_server,established; file_data; content:"|49 C7 C0 00 00 00 00 48 C7 C2 03 00 00 00 48 8D 0D B6 89 01 00 48 83 EC 20 E8 A5 FE FF FF 48 83 C4 20 48 85 C0 74 03 8E 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8897; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897; classtype:attempted-admin; sid:46835; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel privilege escalation attempt"; flow:to_client,established; file_data; content:"|49 C7 C0 00 00 00 00 48 C7 C2 03 00 00 00 48 8D 0D B6 89 01 00 48 83 EC 20 E8 A5 FE FF FF 48 83 C4 20 48 85 C0 74 03 8E 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897; classtype:attempted-admin; sid:46834; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ROP gadget locate attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|83 F8 0F|"; content:"|83 F8 22|"; within:50; content:"|3D E1 00|"; within:50; content:"|3D C3 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8897; classtype:attempted-admin; sid:46833; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ROP gadget locate attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 F8 0F|"; content:"|83 F8 22|"; within:50; content:"|3D E1 00|"; within:50; content:"|3D C3 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-admin; sid:46832; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|33 C0 66 8C D0|"; fast_pattern:only; content:"|8E 12 CC|"; content:"|F3 48 0F AE|"; content:"|F3 48 0F AE|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8897; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897; classtype:attempted-admin; sid:46831; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|33 C0 66 8C D0|"; fast_pattern:only; content:"|8E 12 CC|"; content:"|F3 48 0F AE|"; content:"|F3 48 0F AE|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897; classtype:attempted-admin; sid:46830; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|48 89 45 3F 48 8D 45 EF 48 89 45 27 C7 45 EF 09 A8 A1 7C C7 45 F3 A9 01 09 D8 C7 45 F7 09 D9 A9 00 C7 45 FB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8169; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8169; classtype:attempted-admin; sid:46958; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|48 89 45 3F 48 8D 45 EF 48 89 45 27 C7 45 EF 09 A8 A1 7C C7 45 F3 A9 01 09 D8 C7 45 F7 09 D9 A9 00 C7 45 FB|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-8169; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8169; classtype:attempted-admin; sid:46957; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Windows 10 access control privilege escalation attempt"; flow:to_server,established; file_data; content:"|48 8D 15 EE 52 01 00 48 C7 44 24 30 00 00 00 00 48 8D 4C 24 20 C6 44 24 20 00 E8 8E 01 00 00 48|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1036; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1036; classtype:attempted-admin; sid:46956; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Windows 10 access control privilege escalation attempt"; flow:to_client,established; file_data; content:"|48 8D 15 EE 52 01 00 48 C7 44 24 30 00 00 00 00 48 8D 4C 24 20 C6 44 24 20 00 E8 8E 01 00 00 48|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1036; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1036; classtype:attempted-admin; sid:46955; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|09 20 00 00 00 02 16 28 15 00 00 0A 13 04 12 04 28 16 00 00 0A 2C E9 72 47 01 00 70 28 19 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8208; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8208; classtype:attempted-admin; sid:46954; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|09 20 00 00 00 02 16 28 15 00 00 0A 13 04 12 04 28 16 00 00 0A 2C E9 72 47 01 00 70 28 19 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8208; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8208; classtype:attempted-admin; sid:46953; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_server,established; file_data; content:"|65 48 8B 04 25 30 00 00 00 48 C7 80 60 08 00 00 00 FF FF FF 45 33 C9 48 8D 4C 24 20 45 33 C0 33|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8233; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8233; classtype:attempted-admin; sid:46939; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Win32k privilege escalation attempt"; flow:to_client,established; file_data; content:"|65 48 8B 04 25 30 00 00 00 48 C7 80 60 08 00 00 00 FF FF FF 45 33 C9 48 8D 4C 24 20 45 33 C0 33|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8233; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8233; classtype:attempted-admin; sid:46938; rev:1;)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt"; flow:to_client,established; isdataat:300; content:"|00 0A 00 01 00 00|"; byte_test:2,>,255,2,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2018-8225; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8225; classtype:attempted-admin; sid:46935; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Windows Desktop Bridge privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|O|00|f|00|f|00|i|00|c|00|e|00|H|00|u|00|b|00|_|00|8|00|w|00|e|00|k|00|y|00|b|00|3|00|d|00|8|00|b|00|b|00|w|00|e|00|"; fast_pattern:only; content:"NtApiDotNet"; content:"NtSymbolicLink"; content:".|00|d|00|a|00|t|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8214; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8214; classtype:attempted-admin; sid:46962; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Windows Desktop Bridge privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|O|00|f|00|f|00|i|00|c|00|e|00|H|00|u|00|b|00|_|00|8|00|w|00|e|00|k|00|y|00|b|00|3|00|d|00|8|00|b|00|b|00|w|00|e|00|"; fast_pattern:only; content:"NtApiDotNet"; content:"NtSymbolicLink"; content:".|00|d|00|a|00|t|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8214; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8214; classtype:attempted-admin; sid:46961; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|45 33 C9 41 B8 04 00 00 00 33 D2|"; content:"|45 33 C9 45 33 C0 BA 1F 00 0F 00|"; within:100; content:"|C6 40|"; distance:0; content:"|2E|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6C|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6E|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6B|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8468; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8468; classtype:attempted-admin; sid:48129; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|45 33 C9 41 B8 04 00 00 00 33 D2|"; content:"|45 33 C9 45 33 C0 BA 1F 00 0F 00|"; within:100; content:"|C6 40|"; distance:0; content:"|2E|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6C|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6E|"; within:1; distance:1; content:"|C6 40|"; within:35; content:"|6B|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8468; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8468; classtype:attempted-admin; sid:48128; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|65|"; content:"|25 30 00 00 00 48|"; within:6; distance:3; content:"|60 48|"; within:2; distance:2; content:"|58 48|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8453; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8453; classtype:attempted-user; sid:48073; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|65|"; content:"|25 30 00 00 00 48|"; within:6; distance:3; content:"|60 48|"; within:2; distance:2; content:"|58 48|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8453; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8453; classtype:attempted-user; sid:48072; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt"; flow:to_client,established; content:"|FE|SMB"; content:"|00 00 00 00 0E 00|"; within:6; distance:4; content:"|09 00 48 00|"; within:4; distance:50; byte_test:4,>,0x100000,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-8333; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333; classtype:denial-of-service; sid:48056; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt"; flow:to_server,established; file_data; content:"|C7 45 F0 00 93 00 00 C7 45 F4 00 92 00 00 C7 45 F8 00 91 00 00 83 3D E0 B3 41 00 00 74 65 6A 00 8D 8D 9C FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8486; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8486; classtype:attempted-admin; sid:48048; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows dxgkrnl.sys kernel memory information leak attempt"; flow:to_client,established; file_data; content:"|C7 45 F0 00 93 00 00 C7 45 F4 00 92 00 00 C7 45 F8 00 91 00 00 83 3D E0 B3 41 00 00 74 65 6A 00 8D 8D 9C FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8486; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8486; classtype:attempted-admin; sid:48047; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SystemCollector privilege escalation attempt"; flow:to_server,established; file_data; content:"|72 DE 04 00 70 11 12 16 9A 28 1B 00 00 0A 72 EE 04 00 70 14 28 30 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0952; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0952; classtype:attempted-admin; sid:47851; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SystemCollector privilege escalation attempt"; flow:to_client,established; file_data; content:"|72 DE 04 00 70 11 12 16 9A 28 1B 00 00 0A 72 EE 04 00 70 14 28 30 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0952; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0952; classtype:attempted-admin; sid:47850; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows predefined registry keys double free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00 20 00|N|00|T|00 5C 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5C 00|P|00|e|00|r|00|f|00|l|00|i|00|b|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8410; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8410; classtype:attempted-user; sid:47746; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows predefined registry keys double free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00 20 00|N|00|T|00 5C 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5C 00|P|00|e|00|r|00|f|00|l|00|i|00|b|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8410; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8410; classtype:attempted-user; sid:47745; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"$|00|C|00|I|00|.|00|C|00|A|00|T|00|A|00|L|00|O|00|G|00|H|00|I|00|N|00|T"; fast_pattern:only; content:"EaBufferEntry"; content:"SetEa"; content:"SetProcessMitigationPolicy"; content:"CreateImageSection"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8449; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8449; classtype:attempted-user; sid:47741; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"$|00|C|00|I|00|.|00|C|00|A|00|T|00|A|00|L|00|O|00|G|00|H|00|I|00|N|00|T"; fast_pattern:only; content:"EaBufferEntry"; content:"SetEa"; content:"SetProcessMitigationPolicy"; content:"CreateImageSection"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8449; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8449; classtype:attempted-user; sid:47740; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_server,established; file_data; content:"|F3 AA C7 84 24 B0 01 00 00 17 00 00 00 C7 84 24 B4 01 00 00 43 68 75 6B C7 84 24 B8 01 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8442; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8442; classtype:attempted-user; sid:47718; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_client,established; file_data; content:"|F3 AA C7 84 24 B0 01 00 00 17 00 00 00 C7 84 24 B4 01 00 00 43 68 75 6B C7 84 24 B8 01 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8442; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8442; classtype:attempted-user; sid:47717; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt"; flow:to_server,established; file_data; content:"|48 8D 35 7C 51 01 00 4C 8B CB 48 8D 3D 92 52 01 00 48 89 74 24 28 48 8D 0D B6 5F 01 00 48 89 7C 24 20 41 8D 50 03 FF 15 BF DF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8440; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8440; reference:url,www.kb.cert.org/vuls/id/906424; classtype:attempted-admin; sid:47703; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt"; flow:to_client,established; file_data; content:"|48 8D 35 7C 51 01 00 4C 8B CB 48 8D 3D 92 52 01 00 48 89 74 24 28 48 8D 0D B6 5F 01 00 48 89 7C 24 20 41 8D 50 03 FF 15 BF DF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8440; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8440; reference:url,www.kb.cert.org/vuls/id/906424; classtype:attempted-admin; sid:47702; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_server,established; file_data; content:"|48 B8 21 43 65 87 78 56 34 12 C7 85 7C 06 00 00 AA AA AA AA 48 89 85 70 06 00 00 48 8D BD F0 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8401; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8401; classtype:attempted-user; sid:47518; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_client,established; file_data; content:"|48 B8 21 43 65 87 78 56 34 12 C7 85 7C 06 00 00 AA AA AA AA 48 89 85 70 06 00 00 48 8D BD F0 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8401; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8401; classtype:attempted-user; sid:47517; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_server,established; file_data; content:"|89 7D 60 E8 DE 0D 00 00 83 8D 80 00 00 00 04 44 8D 43 5F 33 D2 48 C7 45 78 60 00 00 00 48 8D 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8405; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8405; classtype:attempted-user; sid:47516; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_client,established; file_data; content:"|89 7D 60 E8 DE 0D 00 00 83 8D 80 00 00 00 04 44 8D 43 5F 33 D2 48 C7 45 78 60 00 00 00 48 8D 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8405; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8405; classtype:attempted-user; sid:47515; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_server,established; file_data; content:"|10 01 00 00 48 B8 89 67 45 23 01 00 00 00 C7 85 1C 01 00 00 10 00 00 00 C7 85 14 01 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8406; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8406; classtype:attempted-user; sid:47513; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows D3D memory corruption attempt"; flow:to_client,established; file_data; content:"|10 01 00 00 48 B8 89 67 45 23 01 00 00 00 C7 85 1C 01 00 00 10 00 00 00 C7 85 14 01 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8406; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8406; classtype:attempted-user; sid:47512; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows xxxNextWindow NULL pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|B2 B8 B1 12 FF 15|"; content:"|B2 AA B1 10 FF 15|"; within:30; content:"|B2 8F B1 1B FF 15|"; within:30; content:"|B2 8F B1 1B FF 15|"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8282; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8282; classtype:attempted-admin; sid:47097; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows xxxNextWindow NULL pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|B2 B8 B1 12 FF 15|"; content:"|B2 AA B1 10 FF 15|"; within:30; content:"|B2 8F B1 1B FF 15|"; within:30; content:"|B2 8F B1 1B FF 15|"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8282; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8282; classtype:attempted-admin; sid:47096; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt"; flow:to_client,established; content:"|FE|SMB"; content:"|00 00 00 00 0E 00|"; within:6; distance:4; content:"|01 00 00 00|"; within:4; distance:2; content:!"|00 00 00 00|"; within:4; content:"|09 00 48 00|"; within:4; distance:44; byte_jump:4,0,relative,little; isdataat:12,relative; content:!"|FE|SMB"; within:12; metadata:service netbios-ssn; reference:cve,2018-8333; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8333; classtype:denial-of-service; sid:48205; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"b|00|f|00|4|00|d|00|c|00|9|00|1|00|2|00|-|00|e|00|5|00|2|00|f|00|-|00|4|00|9|00|0|00|4|00|-|00|8|00|e|00|b|00|e|00|-|00|9|00|3|00|1|00|7|00|c|00|1|00|b|00|d|00|d|00|4|00|9|00|7|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8584; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8584; classtype:attempted-admin; sid:48238; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"b|00|f|00|4|00|d|00|c|00|9|00|1|00|2|00|-|00|e|00|5|00|2|00|f|00|-|00|4|00|9|00|0|00|4|00|-|00|8|00|e|00|b|00|e|00|-|00|9|00|3|00|1|00|7|00|c|00|1|00|b|00|d|00|d|00|4|00|9|00|7|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8584; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8584; classtype:attempted-admin; sid:48237; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|00 04 00 00|"; content:"|68 7E 66 04 80|"; within:5; distance:27; content:"|FF 15|"; within:2; distance:33; content:"|E8|"; within:1; distance:4; content:"|E8|"; within:1; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8408; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8408; classtype:attempted-admin; sid:48410; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|00 04 00 00|"; content:"|68 7E 66 04 80|"; within:5; distance:27; content:"|FF 15|"; within:2; distance:33; content:"|E8|"; within:1; distance:4; content:"|E8|"; within:1; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8408; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8408; classtype:attempted-admin; sid:48409; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt"; flow:to_server,established; file_data; content:"/E:|7B|16d51579-a30b-4c8b-a276-0ff4dc41e755|7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8417; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8417; classtype:attempted-user; sid:48399; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt"; flow:to_client,established; file_data; content:"/E:|7B|16d51579-a30b-4c8b-a276-0ff4dc41e755|7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8417; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8417; classtype:attempted-user; sid:48398; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k information disclosure attempt"; flow:to_server,established; file_data; content:"|45 03 CF C7 44 24 30 15 00 00 00 45 03 C6 83 64 24 28 00 48 8B CE 83 64 24 20 00 FF 15 9F 4C 1A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8565; classtype:attempted-recon; sid:48394; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k information disclosure attempt"; flow:to_client,established; file_data; content:"|45 03 CF C7 44 24 30 15 00 00 00 45 03 C6 83 64 24 28 00 48 8B CE 83 64 24 20 00 FF 15 9F 4C 1A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8565; classtype:attempted-recon; sid:48393; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtDxgkGetProcessList"; fast_pattern:only; content:"w|00|i|00|n|00|3|00|2|00|u|00|.|00|d|00|l|00|l|00|"; nocase; content:"S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8554; reference:url,url; classtype:attempted-admin; sid:48367; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtDxgkGetProcessList"; fast_pattern:only; content:"w|00|i|00|n|00|3|00|2|00|u|00|.|00|d|00|l|00|l|00|"; nocase; content:"S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8554; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8554; classtype:attempted-admin; sid:48366; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt"; flow:to_server,established; file_data; content:"|FF 75 14 E8 42 4A 00 00 83 C4 0C 6A 02 56 8B 35 04 C0 40 00 FF D6 6A FF 57 FF D6 6A 00 57 FF 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8589; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8589; classtype:attempted-user; sid:48365; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt"; flow:to_client,established; file_data; content:"|FF 75 14 E8 42 4A 00 00 83 C4 0C 6A 02 56 8B 35 04 C0 40 00 FF D6 6A FF 57 FF D6 6A 00 57 FF 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8589; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8589; classtype:attempted-user; sid:48364; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt"; flow:to_server,established; file_data; content:"|C7 84 24 78 1E 00 00 18 5E 98 65 C7 84 24 7C 1E 00 00 9D 7A 87 2B C7 84 24 80 1E 00 00 82 E5 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8562; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8562; classtype:attempted-user; sid:48363; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt"; flow:to_client,established; file_data; content:"|C7 84 24 78 1E 00 00 18 5E 98 65 C7 84 24 7C 1E 00 00 9D 7A 87 2B C7 84 24 80 1E 00 00 82 E5 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8562; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8562; classtype:attempted-user; sid:48362; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt"; flow:to_server,established; file_data; content:"|48 B8 00 00 00 00 F7 7F 00 00 48 C7 44 24 40 04 04 00 00 48 C7 44 24 38 68 00 00 00 48 89 44 24 30 48 89 7C 24 28 48 89 5C 24 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8639; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8639; classtype:attempted-user; sid:48607; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt"; flow:to_client,established; file_data; content:"|48 B8 00 00 00 00 F7 7F 00 00 48 C7 44 24 40 04 04 00 00 48 C7 44 24 38 68 00 00 00 48 89 44 24 30 48 89 7C 24 28 48 89 5C 24 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8639; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8639; classtype:attempted-user; sid:48606; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Edge session boundary violation attempt"; flow:to_server,established; file_data; content:"|48 8D 0D 52 03 02 00 48 89 4D C7 89 45 CF 0F 57 C0 F3 0F 7F 45 D7 48 8D 15 44 24 02 00 48 8D 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0566; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0566; classtype:attempted-user; sid:48810; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Edge session boundary violation attempt"; flow:to_client,established; file_data; content:"|48 8D 0D 52 03 02 00 48 89 4D C7 89 45 CF 0F 57 C0 F3 0F 7F 45 D7 48 8D 15 44 24 02 00 48 8D 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0566; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0566; classtype:attempted-user; sid:48809; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"9|00|6|00|7|00|8|00|f|00|4|00|7|00|f|00|-|00|2|00|4|00|3|00|5|00|-|00|4|00|7|00|5|00|c|00|-|00|b|00|2|00|4|00|a|00|-|00|4|00|6|00|0|00|6|00|f|00|8|00|1|00|6|00|1|00|c|00|1|00|6|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0543; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0543; classtype:attempted-admin; sid:48808; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"9|00|6|00|7|00|8|00|f|00|4|00|7|00|f|00|-|00|2|00|4|00|3|00|5|00|-|00|4|00|7|00|5|00|c|00|-|00|b|00|2|00|4|00|a|00|-|00|4|00|6|00|0|00|6|00|f|00|8|00|1|00|6|00|1|00|c|00|1|00|6|00|"; fast_pattern:only; content:"AcquireCredentialsHandle"; content:"NtApiDotNet"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0543; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0543; classtype:attempted-admin; sid:48807; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows arbitrary file read attempt"; flow:to_server,established; file_data; content:"|02 FF 15 6C FA 01 00 41 B9 09 04 00 00 45 33 C0 48 8D 15 B4 01 03 00 48 8B CB FF 15 4B FA 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0636; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0636; classtype:attempted-admin; sid:48800; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows arbitrary file read attempt"; flow:to_client,established; file_data; content:"|02 FF 15 6C FA 01 00 41 B9 09 04 00 00 45 33 C0 48 8D 15 B4 01 03 00 48 8B CB FF 15 4B FA 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0636; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0636; classtype:attempted-admin; sid:48799; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XmlDocument privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"T|00|o|00|a|00|s|00|t|00|N|00|o|00|t|00|i|00|f|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|M|00|a|00|n|00|a|00|g|00|e|00|r"; fast_pattern:only; content:"W|00|S|00|c|00|r|00|i|00|p|00|t|00|.|00|S|00|h|00|e|00|l|00|l"; content:"A|00|l|00|l|00|o|00|w|00|X|00|s|00|l|00|t|00|S|00|c|00|r|00|i|00|p|00|t"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0555; classtype:attempted-user; sid:48798; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XmlDocument privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"GetEdgeProcess"; fast_pattern:only; content:"NtApiDotNet"; content:"SafeLoadLibraryHandle"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0555; classtype:attempted-user; sid:48797; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XmlDocument privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"T|00|o|00|a|00|s|00|t|00|N|00|o|00|t|00|i|00|f|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|M|00|a|00|n|00|a|00|g|00|e|00|r"; fast_pattern:only; content:"W|00|S|00|c|00|r|00|i|00|p|00|t|00|.|00|S|00|h|00|e|00|l|00|l"; content:"A|00|l|00|l|00|o|00|w|00|X|00|s|00|l|00|t|00|S|00|c|00|r|00|i|00|p|00|t"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0555; classtype:attempted-user; sid:48796; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XmlDocument privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"GetEdgeProcess"; fast_pattern:only; content:"NtApiDotNet"; content:"SafeLoadLibraryHandle"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0555; classtype:attempted-user; sid:48795; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt"; flow:to_server,established; file_data; content:"|07 16 16 12 02 28 04 00 00 06 28 0D 00 00 06 26 72 F5 00 00 70 08 28 16 00 00 0A 08 18 12 03 28 05 00 00 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0573; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0573; classtype:attempted-user; sid:48794; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt"; flow:to_client,established; file_data; content:"|07 16 16 12 02 28 04 00 00 06 28 0D 00 00 06 26 72 F5 00 00 70 08 28 16 00 00 0A 08 18 12 03 28 05 00 00 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0573; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0573; classtype:attempted-user; sid:48793; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel out of bounds read attempt"; flow:to_server,established; file_data; content:"|50 8D 4C 24 7C 68 00 00 01 00 51 83 EC 28 89 74 24 58 89 74 24 5C 89 74 24 60 89 74 24 64 89 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0569; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0569; classtype:attempted-admin; sid:48790; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel out of bounds read attempt"; flow:to_client,established; file_data; content:"|50 8D 4C 24 7C 68 00 00 01 00 51 83 EC 28 89 74 24 58 89 74 24 5C 89 74 24 60 89 74 24 64 89 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0569; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0569; classtype:attempted-admin; sid:48789; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"{|00|C|00|8|00|F|00|F|00|C|00|4|00|1|00|4|00|-|00|9|00|4|00|6|00|D|00|-|00|4|00|E|00|6|00|1|00|-|00|A|00|3|00|0|00|2|00|-|00|9|00|B|00|9|00|7|00|1|00|3|00|F|00|8|00|4|00|4|00|4|00|8|00|}|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0552; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0552; classtype:attempted-user; sid:48788; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"{|00|C|00|8|00|F|00|F|00|C|00|4|00|1|00|4|00|-|00|9|00|4|00|6|00|D|00|-|00|4|00|E|00|6|00|1|00|-|00|A|00|3|00|0|00|2|00|-|00|9|00|B|00|9|00|7|00|1|00|3|00|F|00|8|00|4|00|4|00|4|00|8|00|}|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0552; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0552; classtype:attempted-user; sid:48787; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"dsclient.dll"; fast_pattern:only; content:"CreateHardlink"; content:"DSCreateSharedFileToken"; content:"NtApiDotNet"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0572; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0572; classtype:attempted-admin; sid:48777; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"dsclient.dll"; fast_pattern:only; content:"CreateHardlink"; content:"DSCreateSharedFileToken"; content:"NtApiDotNet"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0572; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0572; classtype:attempted-admin; sid:48776; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Task Scheduler privileged file overwrite attempt"; flow:to_server,established; file_data; content:"|33 C0 C7 44 24 28 80 00 00 00 BA 00 00 00 80 C7 44 24 20 03 00 00 00 FF 15 73 06 02 00 48 8B D8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48964; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Task Scheduler privileged file overwrite attempt"; flow:to_client,established; file_data; content:"|33 C0 C7 44 24 28 80 00 00 00 BA 00 00 00 80 C7 44 24 20 03 00 00 00 FF 15 73 06 02 00 48 8B D8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48963; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt"; flow:to_server,established; content:"|C0 00|Duca"; depth:200; content:"rdpdr"; within:300; content:"cliprdr"; content:"rdpsnd"; metadata:policy max-detect-ips alert, policy security-ips alert; reference:url,fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:attempted-user; sid:49041; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; content:"Cookie: mstshash="; within:17; fast_pattern; metadata:policy max-detect-ips alert, policy security-ips alert; reference:url,fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:attempted-user; sid:49040; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 01 6A 03 6A 00 6A 00 6A 7F|"; fast_pattern:only; content:"|68 80 96 98 00 FF 15|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0628; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0628; classtype:attempted-admin; sid:49181; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 01 6A 03 6A 00 6A 00 6A 7F|"; fast_pattern:only; content:"|68 80 96 98 00 FF 15|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0628; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0628; classtype:attempted-admin; sid:49180; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; file_data; content:"|E8 DA 1D FE FF EB 0B 79 09 48 8B 49 18 E8 EE 01 FE FF 48 8B 4B 28 E8 C4 1D FE FF 48 8D 05 66 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0633; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0633; classtype:attempted-user; sid:49177; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_client,established; file_data; content:"|E8 DA 1D FE FF EB 0B 79 09 48 8B 49 18 E8 EE 01 FE FF 48 8B 4B 28 E8 C4 1D FE FF 48 8D 05 66 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0633; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0633; classtype:attempted-user; sid:49176; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; file_data; content:"|55 C8 48 8B 45 C0 48 8B 4D C8 48 F7 E1 41 0F 90 C0 41 80 E0 01 48 89 45 F0 44 88 45 F8 48 8B 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0633; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0633; classtype:attempted-user; sid:49175; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_client,established; file_data; content:"|55 C8 48 8B 45 C0 48 8B 4D C8 48 F7 E1 41 0F 90 C0 41 80 E0 01 48 89 45 F0 44 88 45 F8 48 8B 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0633; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0633; classtype:attempted-user; sid:49174; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|53 8B 5C 24 08 68 00 10 00 00 53|"; content:"|FE C3 68 00 10 00 00 53 68|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0621; reference:cve,2019-0767; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0621; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0767; classtype:attempted-admin; sid:49173; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|53 8B 5C 24 08 68 00 10 00 00 53|"; content:"|FE C3 68 00 10 00 00 53 68|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0621; reference:cve,2019-0767; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0621; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0767; classtype:attempted-admin; sid:49172; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS NTLM authentication relay attempt"; flow:to_client,established; content:"Server: SimpleHTTP/"; fast_pattern:only; http_header; content:"WWW-Authenticate: NTLM"; nocase; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8581; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581; classtype:attempted-user; sid:49171; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|6A 17 E8 2F FF FF FF 8B 4C 24 28 33 D2 8A 14 0E 52 51 50 68 B0 70 40 00 E8 39 00 00 00 8B 44 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0661; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0661; classtype:attempted-admin; sid:49162; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|6A 17 E8 2F FF FF FF 8B 4C 24 28 33 D2 8A 14 0E 52 51 50 68 B0 70 40 00 E8 39 00 00 00 8B 44 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0661; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0661; classtype:attempted-admin; sid:49161; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|C9 45 8B D1 49 FF C0 46 38 0C 01 75 F7 4D 85 C0 74 3D 0F B6 02 8D 48 D0 80 F9 09 77 04 2C 30 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0656; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0656; classtype:attempted-admin; sid:49160; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|C9 45 8B D1 49 FF C0 46 38 0C 01 75 F7 4D 85 C0 74 3D 0F B6 02 8D 48 D0 80 F9 09 77 04 2C 30 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0656; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0656; classtype:attempted-admin; sid:49159; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05|"; within:1; distance:8; content:"|39 00|"; within:2; distance:51; byte_test:2,>,32000,44,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2019-0630; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0630; classtype:attempted-admin; sid:49146; rev:2;)
alert udp any any -> $HOME_NET 67 (msg:"OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt"; content:"|63 82 53 63 35 01 01|"; fast_pattern; byte_extract:1,0,opt_code,relative; byte_extract:1,0,opt_size,relative; byte_test:1,=,opt_code,opt_size,relative; byte_jump:1,-1,relative; isdataat:255,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dhcp; reference:cve,2019-0626; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626; classtype:attempted-user; sid:49333; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt"; flow:to_server,established; file_data; content:"|C7 44 24 18 00 10 00 00 68 00 30 10 00 8D 44 24 1C 33 DB 50 33 FF 8D 44 24 1C 53 47 50 89 7C 24 24 FF 15 38 30 00 10 50 FF D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0808; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0808; classtype:attempted-admin; sid:49403; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt"; flow:to_client,established; file_data; content:"|C7 44 24 18 00 10 00 00 68 00 30 10 00 8D 44 24 1C 33 DB 50 33 FF 8D 44 24 1C 53 47 50 89 7C 24 24 FF 15 38 30 00 10 50 FF D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0808; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0808; classtype:attempted-admin; sid:49402; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt"; flow:to_server,established; file_data; content:"|C7 45 04 00 00 00 00 FF 15 00 4B 10 00 BA 80 00 00 00 48 8B C8 FF 15 32 4B 10 00 FF 15 04 4B 10 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0797; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0797; classtype:attempted-admin; sid:49401; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt"; flow:to_client,established; file_data; content:"|C7 45 04 00 00 00 00 FF 15 00 4B 10 00 BA 80 00 00 00 48 8B C8 FF 15 32 4B 10 00 FF 15 04 4B 10 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0797; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0797; classtype:attempted-admin; sid:49400; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|48 8D 0D 80 2A 00 00 E8 4A 16 00 00 48 8B 45 F0 48 89 C1 E8 66 FE FF FF 48 8B 45 F0 48 89 C1 E8 EC FE FF FF 48 8D 0D 7B 2A 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0755; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0755; classtype:attempted-admin; sid:49393; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|48 8D 0D 80 2A 00 00 E8 4A 16 00 00 48 8B 45 F0 48 89 C1 E8 66 FE FF FF 48 8B 45 F0 48 89 C1 E8 EC FE FF FF 48 8D 0D 7B 2A 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0755; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0755; classtype:attempted-admin; sid:49392; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_server,established; file_data; content:"|8B 5C 24 30 48 83 C4 20 5F C3 48 83 EC 28 B8 4D 5A 00 00 66 39 05 E8 E6 FF FF 74 04 33 C9 EB 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0775; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0775; classtype:attempted-admin; sid:49391; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_client,established; file_data; content:"|8B 5C 24 30 48 83 C4 20 5F C3 48 83 EC 28 B8 4D 5A 00 00 66 39 05 E8 E6 FF FF 74 04 33 C9 EB 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0775; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0775; classtype:attempted-admin; sid:49390; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Huawei PCManager device driver privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5C 00|H|00|w|00|O|00|s|00|2|00|E|00|c|00|"; fast_pattern:only; content:"m|00|a|00|t|00|e|00|b|00|o|00|o|00|k|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e|00|"; nocase; content:"DeviceIoControl|00|"; nocase; content:"|BA A4 41 22 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-5241; reference:cve,2019-5242; classtype:attempted-admin; sid:49631; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Huawei PCManager device driver privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5C 00|H|00|w|00|O|00|s|00|2|00|E|00|c|00|"; fast_pattern:only; content:"m|00|a|00|t|00|e|00|b|00|o|00|o|00|k|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e|00|"; nocase; content:"DeviceIoControl|00|"; nocase; content:"|BA A4 41 22 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-5241; reference:cve,2019-5242; classtype:attempted-admin; sid:49630; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Huawei PCManager device driver privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5C|HwOs2Ec"; fast_pattern:only; content:"matebookservice.exe"; nocase; content:"DeviceIoControl|00|"; nocase; content:"|BA A4 41 22 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-5241; reference:cve,2019-5242; classtype:attempted-admin; sid:49629; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Huawei PCManager device driver privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5C|HwOs2Ec"; fast_pattern:only; content:"matebookservice.exe"; nocase; content:"DeviceIoControl|00|"; nocase; content:"|BA A4 41 22 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-5241; reference:cve,2019-5242; classtype:attempted-admin; sid:49628; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel information disclosure attempt"; flow:to_server,established; file_data; content:"|48 89 4C 24 30 48 89 4C 24 40 48 8D 0D 94 9D 00 00 45 33 C0 BA 00 00 00 C0 C7 44 24 28 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0844; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0844; classtype:attempted-admin; sid:49755; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel information disclosure attempt"; flow:to_client,established; file_data; content:"|48 89 4C 24 30 48 89 4C 24 40 48 8D 0D 94 9D 00 00 45 33 C0 BA 00 00 00 C0 C7 44 24 28 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0844; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0844; classtype:attempted-admin; sid:49754; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_server,established; file_data; content:"|BA 00 00 01 00 48 8B CB 48 89 7C 24 28 C7 44 24 40 00 00 28 00 48 89 7C 24 20 FF 15 C8 7F 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0840; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0840; classtype:attempted-recon; sid:49751; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows kernel information disclosure attempt"; flow:to_client,established; file_data; content:"|BA 00 00 01 00 48 8B CB 48 89 7C 24 28 C7 44 24 40 00 00 28 00 48 89 7C 24 20 FF 15 C8 7F 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0840; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0840; classtype:attempted-recon; sid:49750; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt"; flow:to_server,established; file_data; content:"|16 28 02 00 00 06 07 09 28 01 00 00 06 26 02 28 19 00 00 0A 14 20 80 00 00 00 17 1F 40 28 1D 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0805; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0805; classtype:attempted-admin; sid:49749; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt"; flow:to_client,established; file_data; content:"|16 28 02 00 00 06 07 09 28 01 00 00 06 26 02 28 19 00 00 0A 14 20 80 00 00 00 17 1F 40 28 1D 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0805; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0805; classtype:attempted-admin; sid:49748; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows win32k privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|BA E0 FF FF FF|"; content:"|BA 08 00 00 00|"; within:50; content:"|BA FC FF FF FF|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0859; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0859; classtype:attempted-admin; sid:49747; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|BA E0 FF FF FF|"; content:"|BA 08 00 00 00|"; within:50; content:"|BA FC FF FF FF|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0859; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0859; classtype:attempted-admin; sid:49746; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt"; flow:to_server,established; file_data; content:"|10 28 37 00 00 0A 28 1C 00 00 0A 28 39 00 00 0A 26 DE 0A 06 2C 06 06 6F 18 00 00 0A DC DE 07 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0836; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0836; classtype:attempted-admin; sid:49721; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt"; flow:to_client,established; file_data; content:"|10 28 37 00 00 0A 28 1C 00 00 0A 28 39 00 00 0A 26 DE 0A 06 2C 06 06 6F 18 00 00 0A DC DE 07 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0836; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0836; classtype:attempted-admin; sid:49720; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|D1 00 14 06 24 01 49 01 7C 01 98 00 49 01 56 01 89 00 99 00 0C 04 2A 01 E1 00 6C 03 3A 01 14 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0796; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0796; classtype:attempted-admin; sid:49719; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|D1 00 14 06 24 01 49 01 7C 01 98 00 49 01 56 01 89 00 99 00 0C 04 2A 01 E1 00 6C 03 3A 01 14 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0796; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0796; classtype:attempted-admin; sid:49718; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI component use after free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"AddByGod"; fast_pattern:only; content:"VirtualAlloc"; content:"CryptDecrypt"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0803; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0803; classtype:attempted-admin; sid:49713; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI component use after free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"AddByGod"; fast_pattern:only; content:"VirtualAlloc"; content:"CryptDecrypt"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0803; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0803; classtype:attempted-admin; sid:49712; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"l|00|u|00|a|00|f|00|v|00|_|00 00 1D|B|00|a|00|s|00|e|00|"; fast_pattern:only; content:"NtApiDotNet"; content:"SetCachedSigningLevel"; content:"System.Security.AccessControl"; content:"EaBuffer"; content:"get_GrantedAccess"; content:"CreateFileWithSecurity"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0732; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0732; classtype:policy-violation; sid:49705; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"l|00|u|00|a|00|f|00|v|00|_|00 00 1D|B|00|a|00|s|00|e|00|"; fast_pattern:only; content:"NtApiDotNet"; content:"SetCachedSigningLevel"; content:"System.Security.AccessControl"; content:"EaBuffer"; content:"get_GrantedAccess"; content:"CreateFileWithSecurity"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0732; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0732; classtype:policy-violation; sid:49704; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"set_VirtualizationEnabled"; fast_pattern:only; content:"NtApiDotNet"; content:"l|00|u|00|a|00|f|00|v|00|_"; content:"FsControl"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0731; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0731; classtype:attempted-admin; sid:49697; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"set_VirtualizationEnabled"; fast_pattern:only; content:"NtApiDotNet"; content:"l|00|u|00|a|00|f|00|v|00|_"; content:"FsControl"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0731; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0731; classtype:attempted-admin; sid:49696; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Windows CSRSS privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ActivationContex"; fast_pattern:only; content:"NtApiDotNet"; content:"Marshal"; content:"3|00|5|00|7|00|e|00|d|00|f|00|b|00|d|00|-|00|6|00|e|00|0|00|1|00|-|00|4|00|e|00|f|00|2|00|-|00|8|00|2|00|9|00|f|00|-|00|2|00|d|00|1|00|3|00|b|00|c|00|9|00|8|00|6|00|e|00|d|00|0"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0735; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0735; classtype:attempted-admin; sid:49695; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Windows CSRSS privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"ActivationContex"; fast_pattern:only; content:"NtApiDotNet"; content:"Marshal"; content:"3|00|5|00|7|00|e|00|d|00|f|00|b|00|d|00|-|00|6|00|e|00|0|00|1|00|-|00|4|00|e|00|f|00|2|00|-|00|8|00|2|00|9|00|f|00|-|00|2|00|d|00|1|00|3|00|b|00|c|00|9|00|8|00|6|00|e|00|d|00|0"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0735; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0735; classtype:attempted-admin; sid:49694; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtApiDotNet"; fast_pattern:only; content:"V|00|i|00|r|00|t|00|u|00|a|00|l|00|S|00|t|00|o|00|r|00|e|00|"; content:"CreateHardlink"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0730; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0730; classtype:attempted-admin; sid:49693; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtApiDotNet"; fast_pattern:only; content:"V|00|i|00|r|00|t|00|u|00|a|00|l|00|S|00|t|00|o|00|r|00|e|00|"; content:"CreateHardlink"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0730; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0730; classtype:attempted-admin; sid:49692; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 B8 0B 00 00 FF D6 68 64 4C 43 00 E8 6C 13 00 00 68 98 4C 43 00 E8 CB BD 00 00 83 C4 08 C7 45 FC 00 00 00 00|"; fast_pattern:only; content:"|8D 4D 80 C7 45 90 00 00 00 00 51 68 00 00 00 02|"; content:"|6A 0B 51 FF 75 98 8D 8D 74 FF FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0841; classtype:attempted-admin; sid:49765; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 B8 0B 00 00 FF D6 68 64 4C 43 00 E8 6C 13 00 00 68 98 4C 43 00 E8 CB BD 00 00 83 C4 08 C7 45 FC 00 00 00 00|"; fast_pattern:only; content:"|8D 4D 80 C7 45 90 00 00 00 00 51 68 00 00 00 02|"; content:"|6A 0B 51 FF 75 98 8D 8D 74 FF FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0841; classtype:attempted-admin; sid:49764; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|B9 B8 0B 00 00 FF 15 9D 77 02 00 48 8D 0D DE 94 03 00 E8 A1 12 00 00 48 8D 0D 0A 95 03 00 E8 49 C5 00 00|"; fast_pattern:only; content:"|4C 8D 4D 88 4C 8D 44 24 38 BA 00 00 00 02 48 8D 4C 24 30 FF D6|"; content:"|4D 8B C6 48 8D 55 98 48 8B CB FF D0|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0841; classtype:attempted-admin; sid:49763; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|B9 B8 0B 00 00 FF 15 9D 77 02 00 48 8D 0D DE 94 03 00 E8 A1 12 00 00 48 8D 0D 0A 95 03 00 E8 49 C5 00 00|"; fast_pattern:only; content:"|4C 8D 4D 88 4C 8D 44 24 38 BA 00 00 00 02 48 8D 4C 24 30 FF D6|"; content:"|4D 8B C6 48 8D 55 98 48 8B CB FF D0|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0841; classtype:attempted-admin; sid:49762; rev:2;)