snort2-docker/docker/etc/rules/file-executable.rules

384 lines
156 KiB
Plaintext
Raw Normal View History

2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# FILE-EXECUTABLE RULES
#-----------------------
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|"; fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|"; within:16; distance:112; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26601; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|"; fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|"; within:16; distance:112; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt"; flow:to_server,established; content:"SMB"; depth:3; offset:5; content:"MZ"; within:150; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; fast_pattern; metadata:service netbios-ssn; classtype:policy-violation; sid:26385; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0707; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:26071; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0707; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:26070; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0151; classtype:attempted-user; sid:25779; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt"; flow:to_client,established; file_data; content:"_FieldInfo"; fast_pattern:only; content:"Main|00|mscoree.dll"; content:"EndInvoke"; content:"BeginInvoke"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:misc-activity; sid:24665; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt"; flow:to_server,established; file_data; content:"_FieldInfo"; fast_pattern:only; content:"Main|00|mscoree.dll"; content:"EndInvoke"; content:"BeginInvoke"; metadata:policy security-ips drop, service smtp; reference:cve,2012-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:misc-activity; sid:24664; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|33 32 B2 FD FF 25 1C C1 40 00 05 18 14 10 7F FB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19381; reference:cve,2006-4018; classtype:attempted-user; sid:24238; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|33 32 B2 FD FF 25 1C C1 40 00 05 18 14 10 7F FB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19381; reference:cve,2006-4018; classtype:attempted-user; sid:24237; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|57 69 6E 5A 69 70|"; depth:6; offset:29; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1432; classtype:attempted-user; sid:23313; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ"; depth:2; content:"JFIF"; depth:4; offset:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1433; classtype:attempted-user; sid:23312; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|19 04 00 10|"; depth:4; offset:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1434; classtype:attempted-user; sid:23311; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PKLITE"; depth:6; offset:30; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1435; classtype:attempted-user; sid:23310; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ|2D 6C 68|"; depth:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1436; classtype:attempted-user; sid:23309; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework xbap DataObject object pointer attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"GetFormats"; content:"System.Runtime.InteropServices.ComTypes.IDataObject.GetDataHere.GetDataHere.sender.e.connectionId"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1855; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-038; classtype:attempted-user; sid:23181; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET xbap STGMEDIUM.unionmember arbitrary number overwrite attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|0E 43 6C 69 63 6B 20 74 6F 20 72 65 70 72 6F 99 FD 24 0A D0 FF 04 4C 65 66 74 3D FF 24 09 C8 FF|"; fast_pattern:only; content:"System.Runtime.InteropServices.ComTypes.IDataObject.GetDataHere"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1855; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-038; classtype:attempted-user; sid:23127; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE APP-CONTROL Thunder p2p application download detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e"; nocase; content:"|F1 6D 33 57 02 5E C5 8F F7 96 51 7F DC 7E 80 62 2F 67 09 67 50 96 6C 51 F8 53|"; distance:0; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; distance:0; content:"|C5 8F F7 96|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21173; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows afd.sys kernel-mode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 45 FC 50 6A|"; byte_test:1,>,24,0,relative; content:"|8D 8D A0 FD FF FF 51 68 BB 20 01 00 8B 55 F8 52 FF 15 18|"; content:"|40 00|"; within:2; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-080; classtype:attempted-admin; sid:20270; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows CSRSS SrvDeviceEvent exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|06 7C BD EB 05 BA CC CC CC CC 8B 75 08 33 FF 8B C6 85 F6 74 56 8B 40 04 47 85 C0 75 F8 85 F6 74 4A 39 16 75 0F 39 56 14 75 0A 39 56 18 75 05 39|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1967; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-063; classtype:attempted-user; sid:19680; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NDISTAPI Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25 A8 81 41 00 FF 25 C4 82 41 00 CC CC CC CC 75 01 C3 55 8B EC 83 EC 00 50 52 53 56 57 8B 45 04 6A 00 50 E8 D0 FC FF FF 83 C4 08 5F 5E 5B 5A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1974; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-062; classtype:attempted-admin; sid:19679; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FILE-EXECUTABLE potentially executable file upload via FTP"; flow:established,to_server; content:"STOR"; depth:4; nocase; pcre:"/^STOR[^\r\n]+?\.(com|dll|exe|js|vbs)\s+/smi"; metadata:service ftp; reference:url,tools.ietf.org/html/rfc959; classtype:policy-violation; sid:16363; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE download of executable content"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data; content:"MZ"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:16313; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET MSIL CombineImpl suspicious usage attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|CombineImpl|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16183; rev:14;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt"; flow:to_client,established; content:"href|3D|"; nocase; pcre:"/^[^\x22]*?\x22([a-z]\x3A[\x2F\x5C]|[\x2F\x5C]{2,4})/iR"; metadata:policy max-detect-ips drop; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:16023; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows NtUserMessageCall implementation exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"schlamperei.x86.dll|00|_ReflectiveLoader"; fast_pattern:only; metadata:service smtp; reference:cve,2013-1300; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-053; classtype:attempted-user; sid:30940; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NtUserMessageCall implementation exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; file_data; content:"schlamperei.x86.dll|00|_ReflectiveLoader"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1300; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-user; sid:30939; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_server,established; file_data; content:"|0F BE C9 88 5C 01 04 33 C0 40 8B 4D FC 5F 5E 33 CD 5B E8 EF 63 FF FF 8B E5 5D C3 80 39 30 75 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34081; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_server,established; file_data; content:"|E8 40 03 00 00 59 59 85 C0 0F 84 A3 00 00 00 FF 76 14 8B 45 08 FF 70 18 57 E8 C2 B4 FF FF 83 C4|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34080; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_client,established; file_data; content:"|0F BE C9 88 5C 01 04 33 C0 40 8B 4D FC 5F 5E 33 CD 5B E8 EF 63 FF FF 8B E5 5D C3 80 39 30 75 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34079; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_client,established; file_data; content:"|E8 40 03 00 00 59 59 85 C0 0F 84 A3 00 00 00 FF 76 14 8B 45 08 FF 70 18 57 E8 C2 B4 FF FF 83 C4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34078; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt"; flow:to_server,established; file_data; content:"|2F 00 63 00 61 00 6C 00 63 00 2E 00 62 00 61 00 74 00 00 00 46 61 69 6C 65 64 20 74 6F 20 63 72|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34480; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt"; flow:to_client,established; file_data; content:"|2F 00 63 00 61 00 6C 00 63 00 2E 00 62 00 61 00 74 00 00 00 46 61 69 6C 65 64 20 74 6F 20 63 72|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34479; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Adobe Reader AcroBroker registry value out of bounds attempt"; flow:to_server,established; file_data; content:"|6A 08 6A 41 8D 85 08 FF FF FF 50 E8 3D F9 FF FF 83 C4 0C 8D 85 08 FF FF FF 50 E8 00 FA FF FF 83|"; fast_pattern:only; content:"|89 85 FC FE FF FF B8 08 00 00 00 6B C0 00 8B 8D FC FE FF FF C7 44 01 10 07 00 00 00 8B F4 68 00 10 00 00 8B 85 FC FE FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34467; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Reader AcroBroker registry value out of bounds attempt"; flow:to_client,established; file_data; content:"|6A 08 6A 41 8D 85 08 FF FF FF 50 E8 3D F9 FF FF 83 C4 0C 8D 85 08 FF FF FF 50 E8 00 FA FF FF 83|"; fast_pattern:only; content:"|89 85 FC FE FF FF B8 08 00 00 00 6B C0 00 8B 8D FC FE FF FF C7 44 01 10 07 00 00 00 8B F4 68 00 10 00 00 8B 85 FC FE FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34466; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:25357; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|12 00 32 06 7B 00 12 00 38 06 7B 00 12 00 67 06 5B 06 06 00 83 06 7B 00 06 00 91 06 7B 00 06 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:25253; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_client,established; file_data; content:"|12 00 32 06 7B 00 12 00 38 06 7B 00 12 00 67 06 5B 06 06 00 83 06 7B 00 06 00 91 06 7B 00 06 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:25252; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:25061; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Armadillo v1.71 packer file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; flowbits:isset,file.exe; file_data; isdataat:17; content:"|55 8B EC 6A FF 68|"; content:"|68|"; within:1; distance:4; content:"|64 A1|"; within:2; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:23256; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"MZ"; depth:2; nocase; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; nocase; content:"|0B 02|"; within:2; distance:20; byte_test:4,<,0x3d,142,relative,little; byte_test:4,>,0x0,142,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:22942; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"System|2E|Drawing|2E|Drawing2D|00|GraphicsPath"; fast_pattern:only; content:"W|00|p|00|f|00|B|00|r|00|o|00|w|00|s|00|e|00|r|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00 2E 00|P|00|r|00|o|00|p|00|e|00|r|00|t|00|i|00|e|00|s|00 2E 00|R|00|e|00|s|00|o|00|u|00|r|00|c|00|e|00|s"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-025; classtype:attempted-user; sid:22042; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"MZ"; depth:2; nocase; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; nocase; content:"|0B 01|"; within:2; distance:20; byte_test:4,<,0x3d,126,relative,little; byte_test:4,>,0x0,126,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:21795; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"System|2E|Drawing|00|Bitmap|00|Graphics"; fast_pattern:only; content:"A|00|t|00|t|00|e|00|m|00|p|00|t|00|i|00|n|00|g|00 20 00|t|00|o|00 20 00|w|00|r|00|i|00|t|00|e|00 20 00|8|00 20 00|P|00|o|00|i|00|n|00|t|00|s|00 20 00|i|00|n|00|t|00|o"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-025; classtype:attempted-user; sid:21792; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|59 A3 0F 90 16 C4 78 40 A0 36 F0 3A 84 0E 02 97 00 08 B7 7A 5C 56 19 34 E0 89 05 00 01 01 1D 0E|"; fast_pattern:only; content:"get_PathAndQuery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:21305; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows win32k.sys kernel mode null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 A2 01 00 00 68 FF FF 00 00 FF 15 30|"; fast_pattern; content:"|41 00|"; within:2; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-077; classtype:attempted-admin; sid:20261; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 50 58 31 00 00 00 00 00 50 00 00 00 10 10 00 00 48 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0|"; content:"|D7 FE EF 14 02 2D 8B F8 8D 44 24 18 50 FF 74 04 10 03 7F 1D 2F FF 6F DF 8B D8 19 B5 2E 18 5F 5E 8B C3 5B C3 83 3D E8 A6 02 74 05 BE BD EB 76 16|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14866; reference:cve,2005-2920; classtype:attempted-user; sid:17358; rev:11;)
# alert tcp $HOME_NET [139,445] -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows executable file load from SMB share attempt"; flow:to_client,established; content:"SMB"; depth:3; offset:5; content:"MZ"; within:150; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; classtype:policy-violation; sid:17210; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt"; flow:to_server,established; content:"href|3D|"; nocase; pcre:"/<a[^>]+href\s*=\s*(3D)?(\x22|\x27|)([a-z]\x3A[\x2F\x5C]|[\x2F\x5C]{2,4})/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:16022; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:15306; rev:22;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE download of executable content"; flow:to_client,established; content:"application/octet-stream"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; metadata:policy max-detect-ips drop, service http; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:11192; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt "; flow:to_client,established; content:"|06 00 8E 01 26 00|"; content:"|06 00 59 00 17 00|"; within:6; distance:80; content:"Delegate|00|CreateDelegate|00|"; distance:0; fast_pattern; metadata:service http; reference:cve,2010-1898; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-060; classtype:attempted-user; sid:17118; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt "; flow:to_client,established; flowbits:isset,file.exe; content:"Func1|00|StackSmasher|00|argIterator"; metadata:service http; reference:cve,2009-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16182; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt "; flow:to_client,established; flowbits:isset,file.exe; content:"MyStructCaller|00|Program"; metadata:service http; reference:cve,2009-2497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16179; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption "; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|00|<Module>|00|"; nocase; content:"System.Drawing.Imaging"; distance:0; nocase; content:"SetPropertyItem"; distance:0; nocase; metadata:service http; reference:cve,2009-2504; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16154; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt "; flow:to_server,established; content:"DtcGetTransactionManagerEx|28|"; fast_pattern:only; metadata:service http; reference:cve,2008-1436; reference:cve,2009-0078; reference:cve,2009-0079; reference:cve,2009-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-012; classtype:attempted-user; sid:15470; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|64 A3 00 00 00 00 8B F1 89 75 EC C7 45 FC 00 00 00 00 C7 45 F0 00 00 00 00 68 2C 48 01 10 C7 06|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-4446; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35806; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|64 A3 00 00 00 00 8B F1 89 75 EC C7 45 FC 00 00 00 00 C7 45 F0 00 00 00 00 68 2C 48 01 10 C7 06|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4446; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35805; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 CA 00 C0 00 68 B8 90 EB 46 6A 50 68 4E 8D 86 10 68 F2 C8 B5 9E|"; content:"|26 68 9A EB C8 FF 6A 29 6A 2E|"; within:10; distance:5; metadata:service smtp; reference:cve,2015-2512; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35989; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 CA 00 C0 00 68 B8 90 EB 46 6A 50 68 4E 8D 86 10 68 F2 C8 B5 9E|"; content:"|26 68 9A EB C8 FF 6A 29 6A 2E|"; within:10; distance:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2512; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35988; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt"; flow:to_server,established; file_data; content:"MZ"; depth:2; content:"PE|00 00 4C 01|"; within:6; distance:126; content:"|0B 01|"; within:2; distance:18; content:"."; within:400; distance:222; byte_test:4,>=,0x14000000,11,relative,little; metadata:service smtp; reference:cve,2016-4535; classtype:attempted-dos; sid:39464; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"PE|00 00 4C 01|"; within:6; distance:126; content:"|0B 01|"; within:2; distance:18; content:"."; within:400; distance:222; byte_test:4,>=,0x14000000,11,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4535; classtype:attempted-dos; sid:39463; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"AddLogContainer"; fast_pattern:only; content:"CreateLogMarshallingArea"; content:!"ReserveAndAppendLog"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-153; classtype:attempted-recon; sid:40937; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"AddLogContainer"; fast_pattern:only; content:"CreateLogMarshallingArea"; content:!"ReserveAndAppendLog"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-153; classtype:attempted-recon; sid:40936; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|FF|"; within:5; distance:1; metadata:service smtp; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41465; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|FF|"; within:5; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41464; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|E8|"; within:1; distance:1; metadata:service smtp; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41463; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|E8|"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41462; rev:1;)
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt"; flow:to_server,established; file_data; content:"|CF FA ED FE|"; depth:4; fast_pattern; content:"|05 00 00 00|"; distance:0; byte_test:4,<,0xd,4,relative,little; byte_test:4,>,200,0,relative,little; metadata:service smtp; reference:cve,2017-5005; classtype:attempted-admin; sid:41641; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt"; flow:to_client,established; file_data; content:"|CF FA ED FE|"; depth:4; fast_pattern; content:"|05 00 00 00|"; distance:0; byte_test:4,<,0xd,4,relative,little; byte_test:4,>,200,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5005; classtype:attempted-admin; sid:41640; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; content:"IHxHelpPaneServer"; fast_pattern:only; metadata:service smtp; reference:cve,2017-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41990; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"IHxHelpPaneServer"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41989; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Nvidia Windows kernel mode driver denial of service attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"D3DKMTEscape"; fast_pattern:only; content:"N|00|V|00|S|00|P|00|C|00|A|00|P|00|S|00 5C 00|a|00|a|00|1|00|8|00|e|00|b|00|c|00|4|00|-|00|0|00|1|00|9|00|d|00|-|00|4|00|e|00|c|00|0|00|-|00|b|00|f|00|1|00|d|00|-|00|d|00|6|00|3|00|0|00|0|00|2|00|1|00|8|00|b|00|f|00|5|00|2"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8823; reference:url,www.talosintelligence.com/reports/TALOS-2016-0217/; classtype:attempted-user; sid:40935; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Nvidia Windows kernel mode driver denial of service attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"D3DKMTEscape"; fast_pattern:only; content:"N|00|V|00|S|00|P|00|C|00|A|00|P|00|S|00 5C 00|a|00|a|00|1|00|8|00|e|00|b|00|c|00|4|00|-|00|0|00|1|00|9|00|d|00|-|00|4|00|e|00|c|00|0|00|-|00|b|00|f|00|1|00|d|00|-|00|d|00|6|00|3|00|0|00|0|00|2|00|1|00|8|00|b|00|f|00|5|00|2"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8823; reference:url,www.talosintelligence.com/reports/TALOS-2016-0217/; classtype:attempted-user; sid:40934; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Hopper Disassembler ELF section header memory corruption attempt"; flow:to_server,established; file_data; content:"|04 00 00 00 42 00 00 00 00 00 00 00 38 18 40 00 00 00 00 00 38 18 00 00 00 00 00 00 CE FA AD DE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8390; reference:url,www.talosintelligence.com/reports/TALOS-2016-0222; classtype:attempted-user; sid:40489; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Hopper Disassembler ELF section header memory corruption attempt"; flow:to_client,established; file_data; content:"|04 00 00 00 42 00 00 00 00 00 00 00 38 18 40 00 00 00 00 00 38 18 00 00 00 00 00 00 CE FA AD DE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8390; reference:url,www.talosintelligence.com/reports/TALOS-2016-0222; classtype:attempted-user; sid:40488; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Kaspersky Anti-Virus unhandled windows messages denial of service vulnerability attempt"; flow:to_server,established; file_data; content:"Kaspersky Anti-Virus"; fast_pattern:only; content:"win32api"; content:"RegisterWindowMessage"; within:100; content:"win32api"; content:"PostMessage"; within:50; content:"win32con"; within:50; content:"HWND_BROADCAST"; within:50; metadata:service smtp; reference:cve,2016-4329; reference:url,www.talosintelligence.com/reports/TALOS-2016-0175; classtype:attempted-dos; sid:39919; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Kaspersky Anti-Virus unhandled windows messages denial of service vulnerability attempt"; flow:to_client,established; file_data; content:"Kaspersky Anti-Virus"; fast_pattern:only; content:"win32api"; content:"RegisterWindowMessage"; within:100; content:"win32api"; content:"PostMessage"; within:50; content:"win32con"; within:50; content:"HWND_BROADCAST"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4329; reference:url,www.talosintelligence.com/reports/TALOS-2016-0175; classtype:attempted-dos; sid:39918; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt"; flow:to_server,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; byte_jump:2,16,relative,little,post_offset 2; byte_test:4,>,0x10000000,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5308; reference:url,www.talosintelligence.com/reports/TALOS-2016-0182; classtype:attempted-dos; sid:39467; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; byte_jump:2,16,relative,little,post_offset 2; byte_test:4,>,0x10000000,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5308; reference:url,www.talosintelligence.com/reports/TALOS-2016-0182; classtype:attempted-dos; sid:39466; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Kaspersky Internet Security kl1.sys out of bounds read attempt"; flow:to_server,established; file_data; content:"|01 8B 85 F8 FA FF FF 50 68 70 20 22 00 8B 8D F4 FA FF FF 51 FF 15 08 20 41 00 89 85 EC FA FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4307; reference:url,www.talosintelligence.com/reports/TALOS-2016-0169; classtype:attempted-user; sid:39048; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Kaspersky Internet Security kl1.sys out of bounds read attempt"; flow:to_client,established; file_data; content:"|01 8B 85 F8 FA FF FF 50 68 70 20 22 00 8B 8D F4 FA FF FF 51 FF 15 08 20 41 00 89 85 EC FA FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4307; reference:url,www.talosintelligence.com/reports/TALOS-2016-0169; classtype:attempted-user; sid:39047; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack"; flow:to_server,established; file_data; content:"|0F AE F0 31 C0 0F A2 0F 01 F9 49 89 D0 49 89 C1 0F AE F0 C6 07 5A 0F AE F0 0F 01 F9 48 89 C7 48 89 D6 31 C0 0F A2 0F AE F0 48 89 F0 49 C1 E0 20 48 C1 E0 20 4D 09 C8 48 09 F8 4C 29 C0|"; fast_pattern:only; content:"|48 3D E7 03 00 00 4C 8B|"; content:"|E8|"; within:1; distance:-13; content:"|4C 8B|"; within:2; distance:15; metadata:service smtp; reference:cve,2017-5925; reference:cve,2017-5926; reference:cve,2017-5927; reference:url,www.vusec.net/projects/anc/; classtype:attempted-recon; sid:42101; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack"; flow:to_client,established; file_data; content:"|0F AE F0 31 C0 0F A2 0F 01 F9 49 89 D0 49 89 C1 0F AE F0 C6 07 5A 0F AE F0 0F 01 F9 48 89 C7 48 89 D6 31 C0 0F A2 0F AE F0 48 89 F0 49 C1 E0 20 48 C1 E0 20 4D 09 C8 48 09 F8 4C 29 C0|"; fast_pattern:only; content:"|48 3D E7 03 00 00 4C 8B|"; content:"|E8|"; within:1; distance:-13; content:"|4C 8B|"; within:2; distance:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5925; reference:cve,2017-5926; reference:cve,2017-5927; reference:url,www.vusec.net/projects/anc/; classtype:attempted-recon; sid:42100; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Win.Trojan.DoubleAgent download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"RegRenameKey"; fast_pattern:only; content:"V|00|e|00|r|00|i|00|f|00|i|00|e|00|r|00|D|00|l|00|l|00|s"; nocase; content:"G|00|l|00|o|00|b|00|a|00|l|00|F|00|l|00|a|00|g"; nocase; metadata:impact_flag red, service smtp; reference:url,virustotal.com/en/file/99b42acbafeaadc68af9b217e1b2620cef13a0d61d1bc600c13889cc0414e307/analysis/1493236455/; classtype:attempted-user; sid:42419; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Trojan.DoubleAgent download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"RegRenameKey"; fast_pattern:only; content:"V|00|e|00|r|00|i|00|f|00|i|00|e|00|r|00|D|00|l|00|l|00|s"; nocase; content:"G|00|l|00|o|00|b|00|a|00|l|00|F|00|l|00|a|00|g"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/99b42acbafeaadc68af9b217e1b2620cef13a0d61d1bc600c13889cc0414e307/analysis/1493236455/; classtype:attempted-user; sid:42418; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xff encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B2 A5|"; depth:2; content:"|AF BA FF FF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42748; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfe encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B3 A4|"; depth:2; content:"|AE BB FE FE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42747; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B0 A7|"; depth:2; content:"|AD B8 FD FD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42746; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B1 A6|"; depth:2; content:"|AC B9 FC FC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42745; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B6 A1|"; depth:2; content:"|AB BE FB FB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42744; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfa encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B7 A0|"; depth:2; content:"|AA BF FA FA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42743; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B4 A3|"; depth:2; content:"|A9 BC F9 F9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42742; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B5 A2|"; depth:2; content:"|A8 BD F8 F8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42741; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BA AD|"; depth:2; content:"|A7 B2 F7 F7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42740; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BB AC|"; depth:2; content:"|A6 B3 F6 F6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42739; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B8 AF|"; depth:2; content:"|A5 B0 F5 F5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42738; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B9 AE|"; depth:2; content:"|A4 B1 F4 F4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42737; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BE A9|"; depth:2; content:"|A3 B6 F3 F3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42736; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BF A8|"; depth:2; content:"|A2 B7 F2 F2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42735; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BC AB|"; depth:2; content:"|A1 B4 F1 F1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42734; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BD AA|"; depth:2; content:"|A0 B5 F0 F0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42733; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xef encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A2 B5|"; depth:2; content:"|BF AA EF EF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42732; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xee encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A3 B4|"; depth:2; content:"|BE AB EE EE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42731; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xed encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A0 B7|"; depth:2; content:"|BD A8 ED ED|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42730; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xec encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A1 B6|"; depth:2; content:"|BC A9 EC EC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42729; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xeb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A6 B1|"; depth:2; content:"|BB AE EB EB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42728; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xea encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A7 B0|"; depth:2; content:"|BA AF EA EA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42727; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A4 B3|"; depth:2; content:"|B9 AC E9 E9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42726; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A5 B2|"; depth:2; content:"|B8 AD E8 E8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42725; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AA BD|"; depth:2; content:"|B7 A2 E7 E7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42724; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AB BC|"; depth:2; content:"|B6 A3 E6 E6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42723; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A8 BF|"; depth:2; content:"|B5 A0 E5 E5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42722; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A9 BE|"; depth:2; content:"|B4 A1 E4 E4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42721; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AE B9|"; depth:2; content:"|B3 A6 E3 E3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42720; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AF B8|"; depth:2; content:"|B2 A7 E2 E2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42719; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AC BB|"; depth:2; content:"|B1 A4 E1 E1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42718; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AD BA|"; depth:2; content:"|B0 A5 E0 E0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42717; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|92 85|"; depth:2; content:"|8F 9A DF DF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42716; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xde encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|93 84|"; depth:2; content:"|8E 9B DE DE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42715; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|90 87|"; depth:2; content:"|8D 98 DD DD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42714; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|91 86|"; depth:2; content:"|8C 99 DC DC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42713; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|96 81|"; depth:2; content:"|8B 9E DB DB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42712; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xda encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|97 80|"; depth:2; content:"|8A 9F DA DA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42711; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|94 83|"; depth:2; content:"|89 9C D9 D9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42710; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|95 82|"; depth:2; content:"|88 9D D8 D8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42709; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9A 8D|"; depth:2; content:"|87 92 D7 D7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42708; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9B 8C|"; depth:2; content:"|86 93 D6 D6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42707; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|98 8F|"; depth:2; content:"|85 90 D5 D5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42706; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|99 8E|"; depth:2; content:"|84 91 D4 D4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42705; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9E 89|"; depth:2; content:"|83 96 D3 D3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42704; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9F 88|"; depth:2; content:"|82 97 D2 D2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42703; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9C 8B|"; depth:2; content:"|81 94 D1 D1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42702; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9D 8A|"; depth:2; content:"|80 95 D0 D0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42701; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|82 95|"; depth:2; content:"|9F 8A CF CF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42700; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xce encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|83 94|"; depth:2; content:"|9E 8B CE CE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42699; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|80 97|"; depth:2; content:"|9D 88 CD CD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42698; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|81 96|"; depth:2; content:"|9C 89 CC CC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42697; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|86 91|"; depth:2; content:"|9B 8E CB CB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42696; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xca encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|87 90|"; depth:2; content:"|9A 8F CA CA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42695; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|84 93|"; depth:2; content:"|99 8C C9 C9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42694; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|85 92|"; depth:2; content:"|98 8D C8 C8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42693; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8A 9D|"; depth:2; content:"|97 82 C7 C7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42692; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8B 9C|"; depth:2; content:"|96 83 C6 C6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42691; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|88 9F|"; depth:2; content:"|95 80 C5 C5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42690; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|89 9E|"; depth:2; content:"|94 81 C4 C4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42689; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8E 99|"; depth:2; content:"|93 86 C3 C3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42688; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8F 98|"; depth:2; content:"|92 87 C2 C2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42687; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8C 9B|"; depth:2; content:"|91 84 C1 C1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42686; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8D 9A|"; depth:2; content:"|90 85 C0 C0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42685; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F2 E5|"; depth:2; content:"|EF FA BF BF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42684; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbe encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F3 E4|"; depth:2; content:"|EE FB BE BE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42683; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F0 E7|"; depth:2; content:"|ED F8 BD BD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42682; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F1 E6|"; depth:2; content:"|EC F9 BC BC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42681; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F6 E1|"; depth:2; content:"|EB FE BB BB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42680; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xba encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F7 E0|"; depth:2; content:"|EA FF BA BA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42679; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F4 E3|"; depth:2; content:"|E9 FC B9 B9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42678; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F5 E2|"; depth:2; content:"|E8 FD B8 B8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42677; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FA ED|"; depth:2; content:"|E7 F2 B7 B7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42676; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FB EC|"; depth:2; content:"|E6 F3 B6 B6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42675; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F8 EF|"; depth:2; content:"|E5 F0 B5 B5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42674; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F9 EE|"; depth:2; content:"|E4 F1 B4 B4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42673; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FE E9|"; depth:2; content:"|E3 F6 B3 B3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42672; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FF E8|"; depth:2; content:"|E2 F7 B2 B2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42671; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FC EB|"; depth:2; content:"|E1 F4 B1 B1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42670; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FD EA|"; depth:2; content:"|E0 F5 B0 B0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42669; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xaf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E2 F5|"; depth:2; content:"|FF EA AF AF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42668; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xae encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E3 F4|"; depth:2; content:"|FE EB AE AE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42667; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xad encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E0 F7|"; depth:2; content:"|FD E8 AD AD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42666; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xac encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E1 F6|"; depth:2; content:"|FC E9 AC AC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42665; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xab encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E6 F1|"; depth:2; content:"|FB EE AB AB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42664; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xaa encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E7 F0|"; depth:2; content:"|FA EF AA AA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42663; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E4 F3|"; depth:2; content:"|F9 EC A9 A9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42662; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E5 F2|"; depth:2; content:"|F8 ED A8 A8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42661; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EA FD|"; depth:2; content:"|F7 E2 A7 A7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42660; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EB FC|"; depth:2; content:"|F6 E3 A6 A6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42659; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E8 FF|"; depth:2; content:"|F5 E0 A5 A5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42658; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E9 FE|"; depth:2; content:"|F4 E1 A4 A4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42657; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EE F9|"; depth:2; content:"|F3 E6 A3 A3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42656; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EF F8|"; depth:2; content:"|F2 E7 A2 A2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42655; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EC FB|"; depth:2; content:"|F1 E4 A1 A1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42654; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|ED FA|"; depth:2; content:"|F0 E5 A0 A0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42653; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D2 C5|"; depth:2; content:"|CF DA 9F 9F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42652; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D3 C4|"; depth:2; content:"|CE DB 9E 9E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42651; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D0 C7|"; depth:2; content:"|CD D8 9D 9D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42650; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D1 C6|"; depth:2; content:"|CC D9 9C 9C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42649; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D6 C1|"; depth:2; content:"|CB DE 9B 9B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42648; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D7 C0|"; depth:2; content:"|CA DF 9A 9A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42647; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x99 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D4 C3|"; depth:2; content:"|C9 DC 99 99|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42646; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x98 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D5 C2|"; depth:2; content:"|C8 DD 98 98|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42645; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x97 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DA CD|"; depth:2; content:"|C7 D2 97 97|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42644; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x96 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DB CC|"; depth:2; content:"|C6 D3 96 96|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42643; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x95 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D8 CF|"; depth:2; content:"|C5 D0 95 95|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42642; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x94 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D9 CE|"; depth:2; content:"|C4 D1 94 94|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42641; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x93 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DE C9|"; depth:2; content:"|C3 D6 93 93|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42640; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x92 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DF C8|"; depth:2; content:"|C2 D7 92 92|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42639; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x91 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DC CB|"; depth:2; content:"|C1 D4 91 91|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42638; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x90 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DD CA|"; depth:2; content:"|C0 D5 90 90|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42637; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C2 D5|"; depth:2; content:"|DF CA 8F 8F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42636; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C3 D4|"; depth:2; content:"|DE CB 8E 8E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42635; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C0 D7|"; depth:2; content:"|DD C8 8D 8D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42634; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C1 D6|"; depth:2; content:"|DC C9 8C 8C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42633; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C6 D1|"; depth:2; content:"|DB CE 8B 8B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42632; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C7 D0|"; depth:2; content:"|DA CF 8A 8A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42631; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x89 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C4 D3|"; depth:2; content:"|D9 CC 89 89|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42630; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x88 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C5 D2|"; depth:2; content:"|D8 CD 88 88|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42629; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x87 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CA DD|"; depth:2; content:"|D7 C2 87 87|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42628; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x86 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CB DC|"; depth:2; content:"|D6 C3 86 86|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42627; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x85 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C8 DF|"; depth:2; content:"|D5 C0 85 85|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42626; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x84 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C9 DE|"; depth:2; content:"|D4 C1 84 84|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42625; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x83 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CE D9|"; depth:2; content:"|D3 C6 83 83|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42624; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x82 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CF D8|"; depth:2; content:"|D2 C7 82 82|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42623; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x81 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CC DB|"; depth:2; content:"|D1 C4 81 81|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42622; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x80 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CD DA|"; depth:2; content:"|D0 C5 80 80|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42621; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|32 25|"; depth:2; content:"|2F 3A 7F 7F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42620; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|33 24|"; depth:2; content:"|2E 3B 7E 7E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42619; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|30 27|"; depth:2; content:"|2D 38 7D 7D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42618; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|31 26|"; depth:2; content:"|2C 39 7C 7C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42617; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|36 21|"; depth:2; content:"|2B 3E 7B 7B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42616; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|37 20|"; depth:2; content:"|2A 3F 7A 7A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42615; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x79 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|34 23|"; depth:2; content:"|29 3C 79 79|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42614; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x78 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|35 22|"; depth:2; content:"|28 3D 78 78|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42613; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x77 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3A 2D|"; depth:2; content:"|27 32 77 77|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42612; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x76 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3B 2C|"; depth:2; content:"|26 33 76 76|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42611; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x75 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|38 2F|"; depth:2; content:"|25 30 75 75|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42610; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x74 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|39 2E|"; depth:2; content:"|24 31 74 74|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42609; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x73 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3E 29|"; depth:2; content:"|23 36 73 73|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42608; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x72 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3F 28|"; depth:2; content:"|22 37 72 72|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42607; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x71 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3C 2B|"; depth:2; content:"|21 34 71 71|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42606; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x70 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3D 2A|"; depth:2; content:"|20 35 70 70|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42605; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|22 35|"; depth:2; content:"|3F 2A 6F 6F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42604; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|23 34|"; depth:2; content:"|3E 2B 6E 6E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42603; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|20 37|"; depth:2; content:"|3D 28 6D 6D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42602; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|21 36|"; depth:2; content:"|3C 29 6C 6C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42601; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|26 31|"; depth:2; content:"|3B 2E 6B 6B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42600; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|27 30|"; depth:2; content:"|3A 2F 6A 6A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42599; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x69 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|24 33|"; depth:2; content:"|39 2C 69 69|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42598; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x68 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|25 32|"; depth:2; content:"|38 2D 68 68|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42597; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x67 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2A 3D|"; depth:2; content:"|37 22 67 67|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42596; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x66 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2B 3C|"; depth:2; content:"|36 23 66 66|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42595; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x65 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|28 3F|"; depth:2; content:"|35 20 65 65|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42594; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x64 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|29 3E|"; depth:2; content:"|34 21 64 64|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42593; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x63 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2E 39|"; depth:2; content:"|33 26 63 63|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42592; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x62 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2F 38|"; depth:2; content:"|32 27 62 62|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42591; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x61 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2C 3B|"; depth:2; content:"|31 24 61 61|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42590; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x60 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2D 3A|"; depth:2; content:"|30 25 60 60|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42589; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|12 05|"; depth:2; content:"|0F 1A 5F 5F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42588; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|13 04|"; depth:2; content:"|0E 1B 5E 5E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42587; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|10 07|"; depth:2; content:"|0D 18 5D 5D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42586; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|11 06|"; depth:2; content:"|0C 19 5C 5C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42585; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|16 01|"; depth:2; content:"|0B 1E 5B 5B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42584; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|17 00|"; depth:2; content:"|0A 1F 5A 5A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42583; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x59 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|14 03|"; depth:2; content:"|09 1C 59 59|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42582; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x58 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|15 02|"; depth:2; content:"|08 1D 58 58|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42581; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x57 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1A 0D|"; depth:2; content:"|07 12 57 57|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42580; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x56 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1B 0C|"; depth:2; content:"|06 13 56 56|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42579; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x55 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|18 0F|"; depth:2; content:"|05 10 55 55|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42578; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x54 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|19 0E|"; depth:2; content:"|04 11 54 54|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42577; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x53 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1E 09|"; depth:2; content:"|03 16 53 53|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42576; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x52 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1F 08|"; depth:2; content:"|02 17 52 52|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42575; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x51 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1C 0B|"; depth:2; content:"|01 14 51 51|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42574; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x50 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1D 0A|"; depth:2; content:"|00 15 50 50|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42573; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|02 15|"; depth:2; content:"|1F 0A 4F 4F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42572; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|03 14|"; depth:2; content:"|1E 0B 4E 4E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42571; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|00 17|"; depth:2; content:"|1D 08 4D 4D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42570; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|01 16|"; depth:2; content:"|1C 09 4C 4C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42569; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|06 11|"; depth:2; content:"|1B 0E 4B 4B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42568; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|07 10|"; depth:2; content:"|1A 0F 4A 4A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42567; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x49 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|04 13|"; depth:2; content:"|19 0C 49 49|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42566; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x48 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|05 12|"; depth:2; content:"|18 0D 48 48|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42565; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x47 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0A 1D|"; depth:2; content:"|17 02 47 47|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42564; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x46 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0B 1C|"; depth:2; content:"|16 03 46 46|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42563; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x45 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|08 1F|"; depth:2; content:"|15 00 45 45|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42562; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x44 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|09 1E|"; depth:2; content:"|14 01 44 44|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42561; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x43 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0E 19|"; depth:2; content:"|13 06 43 43|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42560; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x42 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0F 18|"; depth:2; content:"|12 07 42 42|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42559; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x41 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0C 1B|"; depth:2; content:"|11 04 41 41|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42558; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x40 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0D 1A|"; depth:2; content:"|10 05 40 40|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42557; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|72 65|"; depth:2; content:"|6F 7A 3F 3F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42556; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|73 64|"; depth:2; content:"|6E 7B 3E 3E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42555; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|70 67|"; depth:2; content:"|6D 78 3D 3D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42554; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|71 66|"; depth:2; content:"|6C 79 3C 3C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42553; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|76 61|"; depth:2; content:"|6B 7E 3B 3B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42552; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|77 60|"; depth:2; content:"|6A 7F 3A 3A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42551; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x39 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|74 63|"; depth:2; content:"|69 7C 39 39|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42550; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x38 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|75 62|"; depth:2; content:"|68 7D 38 38|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42549; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x37 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7A 6D|"; depth:2; content:"|67 72 37 37|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42548; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x36 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7B 6C|"; depth:2; content:"|66 73 36 36|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42547; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x35 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|78 6F|"; depth:2; content:"|65 70 35 35|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42546; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x34 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|79 6E|"; depth:2; content:"|64 71 34 34|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42545; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x33 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7E 69|"; depth:2; content:"|63 76 33 33|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42544; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x32 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7F 68|"; depth:2; content:"|62 77 32 32|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42543; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x31 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7C 6B|"; depth:2; content:"|61 74 31 31|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42542; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x30 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7D 6A|"; depth:2; content:"|60 75 30 30|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42541; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|62 75|"; depth:2; content:"|7F 6A 2F 2F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42540; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|63 74|"; depth:2; content:"|7E 6B 2E 2E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42539; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|60 77|"; depth:2; content:"|7D 68 2D 2D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42538; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|61 76|"; depth:2; content:"|7C 69 2C 2C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42537; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|66 71|"; depth:2; content:"|7B 6E 2B 2B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42536; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|67 70|"; depth:2; content:"|7A 6F 2A 2A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42535; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x29 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|64 73|"; depth:2; content:"|79 6C 29 29|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42534; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x28 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|65 72|"; depth:2; content:"|78 6D 28 28|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42533; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x27 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6A 7D|"; depth:2; content:"|77 62 27 27|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42532; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x26 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6B 7C|"; depth:2; content:"|76 63 26 26|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42531; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x25 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|68 7F|"; depth:2; content:"|75 60 25 25|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42530; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x24 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|69 7E|"; depth:2; content:"|74 61 24 24|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42529; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x23 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6E 79|"; depth:2; content:"|73 66 23 23|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42528; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x22 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6F 78|"; depth:2; content:"|72 67 22 22|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42527; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x21 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6C 7B|"; depth:2; content:"|71 64 21 21|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42526; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x20 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6D 7A|"; depth:2; content:"|70 65 20 20|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42525; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|52 45|"; depth:2; content:"|4F 5A 1F 1F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42524; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|53 44|"; depth:2; content:"|4E 5B 1E 1E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42523; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|50 47|"; depth:2; content:"|4D 58 1D 1D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42522; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|51 46|"; depth:2; content:"|4C 59 1C 1C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42521; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|56 41|"; depth:2; content:"|4B 5E 1B 1B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42520; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|57 40|"; depth:2; content:"|4A 5F 1A 1A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42519; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x19 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|54 43|"; depth:2; content:"|49 5C 19 19|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42518; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x18 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|55 42|"; depth:2; content:"|48 5D 18 18|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42517; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x17 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5A 4D|"; depth:2; content:"|47 52 17 17|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42516; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x16 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5B 4C|"; depth:2; content:"|46 53 16 16|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42515; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x15 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|58 4F|"; depth:2; content:"|45 50 15 15|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42514; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x14 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|59 4E|"; depth:2; content:"|44 51 14 14|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42513; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x13 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5E 49|"; depth:2; content:"|43 56 13 13|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42512; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x12 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5F 48|"; depth:2; content:"|42 57 12 12|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42511; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x11 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5C 4B|"; depth:2; content:"|41 54 11 11|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42510; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x10 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5D 4A|"; depth:2; content:"|40 55 10 10|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42509; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|42 55|"; depth:2; content:"|5F 4A 0F 0F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42508; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|43 54|"; depth:2; content:"|5E 4B 0E 0E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42507; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|40 57|"; depth:2; content:"|5D 48 0D 0D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42506; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|41 56|"; depth:2; content:"|5C 49 0C 0C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42505; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|46 51|"; depth:2; content:"|5B 4E 0B 0B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42504; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|47 50|"; depth:2; content:"|5A 4F 0A 0A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42503; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x09 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|44 53|"; depth:2; content:"|59 4C 09 09|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42502; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x08 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|45 52|"; depth:2; content:"|58 4D 08 08|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42501; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x07 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4A 5D|"; depth:2; content:"|57 42 07 07|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42500; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x06 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4B 5C|"; depth:2; content:"|56 43 06 06|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42499; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x05 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|48 5F|"; depth:2; content:"|55 40 05 05|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42498; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x04 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|49 5E|"; depth:2; content:"|54 41 04 04|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42497; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x03 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4E 59|"; depth:2; content:"|53 46 03 03|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42496; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x02 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4F 58|"; depth:2; content:"|52 47 02 02|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42495; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x01 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4C 5B|"; depth:2; content:"|51 44 01 01|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42494; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE SandboxEscaper WER download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"R|00|e|00|p|00|o|00|r|00|t|00|Q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; nocase; content:"w|00|e|00|r|00|"; nocase; content:"U|00|S|00|O|00|P|00|r|00|i|00|v|00|a|00|t|00|e|00|"; nocase; metadata:impact_flag red, service smtp; classtype:attempted-user; sid:43633; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE SandboxEscaper WER download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"R|00|e|00|p|00|o|00|r|00|t|00|Q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; nocase; content:"w|00|e|00|r|00|"; nocase; content:"U|00|S|00|O|00|P|00|r|00|i|00|v|00|a|00|t|00|e|00|"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43632; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Invincea Dell Protected Workspace InvProtectDrv sandbox escape attempt"; flow:to_server,established; file_data; content:"|50 6A 00 6A 00 6A 00 6A 00 68|"; fast_pattern; content:"|FF 15|"; within:2; distance:4; byte_extract:3,1,functsOffset,relative; content:"|50 68 00 10 00 00 8D|"; within:200; content:"|FF 15|"; within:40; byte_test:3,=,functsOffset,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8732; reference:url,www.talosintelligence.com/reports/TALOS-2016-0246; classtype:attempted-user; sid:41313; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Invincea Dell Protected Workspace InvProtectDrv sandbox escape attempt"; flow:to_client,established; file_data; content:"|50 6A 00 6A 00 6A 00 6A 00 68|"; fast_pattern; content:"|FF 15|"; within:2; distance:4; byte_extract:3,1,functsOffset,relative; content:"|50 68 00 10 00 00 8D|"; within:200; content:"|FF 15|"; within:40; byte_test:3,=,functsOffset,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8732; reference:url,www.talosintelligence.com/reports/TALOS-2016-0246; classtype:attempted-user; sid:41312; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Invincea-X SboxDrv.sys local privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|C7 06 01 00 34 12|"; content:"|6A 00 8D 85 F4 FE FF FF 50 68 00 01 00 00 53 6A 40 56 68 07 20 22 00 57 FF 15 1C 00 41 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9038; reference:url,www.talosintelligence.com/reports/TALOS-2016-0256/; classtype:attempted-admin; sid:41307; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Invincea-X SboxDrv.sys local privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|C7 06 01 00 34 12|"; content:"|6A 00 8D 85 F4 FE FF FF 50 68 00 01 00 00 53 6A 40 56 68 07 20 22 00 57 FF 15 1C 00 41 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9038; reference:url,www.talosintelligence.com/reports/TALOS-2016-0256/; classtype:attempted-admin; sid:41306; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"CryptoNight"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/8bf1def5479b39376b3790a83380831d288c57dd4fbad8e64abc3a9062eb56bb; classtype:trojan-activity; sid:45548; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Binutils objdump integer overflow attempt"; flow:to_server,established; file_data; content:"|01 00 00 00 00 00 00 00 7B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 64 00 00 00 FF FF FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-6543; classtype:denial-of-service; sid:45934; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Binutils objdump integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 00 00 00 00 7B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 64 00 00 00 FF FF FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-6543; classtype:denial-of-service; sid:45933; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Win.Ransomware.Rapid download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"R9zZwUnk1v5JRhOMddAPogx0yIVCOdxJ"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61/; classtype:trojan-activity; sid:46397; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Ransomware.Rapid download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"R9zZwUnk1v5JRhOMddAPogx0yIVCOdxJ"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61/; classtype:trojan-activity; sid:46396; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt"; flow:to_server,established; file_data; content:"|02 02 7B 18 00 00 04 7E 37 00 00 0A 02 7B 1A 00 00 04 02 7B 1B 00 00 04 6F 38 00 00 0A 7D 1C 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8411; classtype:attempted-user; sid:48058; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt"; flow:to_client,established; file_data; content:"|02 02 7B 18 00 00 04 7E 37 00 00 0A 02 7B 1A 00 00 04 02 7B 1B 00 00 04 6F 38 00 00 0A 7D 1C 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8411; classtype:attempted-user; sid:48057; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 6A 00 68 7B 04 00 00 FF 35 BC A2 41 00 FF 15 3C 21 41 00 68 E8 03 00 00 FF 15 24 20 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8404; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8404; classtype:attempted-user; sid:47504; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 6A 00 68 7B 04 00 00 FF 35 BC A2 41 00 FF 15 3C 21 41 00 68 E8 03 00 00 FF 15 24 20 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8404; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8404; classtype:attempted-user; sid:47503; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt"; flow:to_server,established; file_data; content:"|48 8B 1D F1 9E 01 00 FF 15 F3 E6 00 00 48 8D 15 EC 5A 01 00 48 8B C8 FF 15 EB E6 00 00 48 8B CB FF D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8611; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8611; classtype:attempted-user; sid:48613; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt"; flow:to_client,established; file_data; content:"|48 8B 1D F1 9E 01 00 FF 15 F3 E6 00 00 48 8D 15 EC 5A 01 00 48 8B C8 FF 15 EB E6 00 00 48 8B CB FF D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8611; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8611; classtype:attempted-user; sid:48612; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|52 53 44 53 AC E2 DA 2C 27 7A A5 46 AA 56 A9 C5 AE 82 29 F3 01 00 00 00 43 3A 5C 55 73 65 72 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0574; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0574; classtype:attempted-admin; sid:48769; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|52 53 44 53 AC E2 DA 2C 27 7A A5 46 AA 56 A9 C5 AE 82 29 F3 01 00 00 00 43 3A 5C 55 73 65 72 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0574; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0574; classtype:attempted-admin; sid:48768; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows kernel user after free attempt"; flow:to_server,established; file_data; content:"|FF 84 C0 0F 84 36 01 00 00 40 32 F6 40 88 74 24 20 E8 5B B8 FF FF 8A D8 8B 0D 3A 4E 07 00 83 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0685; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0685; classtype:attempted-admin; sid:49689; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows kernel user after free attempt"; flow:to_client,established; file_data; content:"|FF 84 C0 0F 84 36 01 00 00 40 32 F6 40 88 74 24 20 E8 5B B8 FF FF 8A D8 8B 0D 3A 4E 07 00 83 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0685; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0685; classtype:attempted-admin; sid:49688; rev:1;)