# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------ # OS-WINDOWS RULES #------------------ alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"; flow:to_server,established; content:"|FF|SMB|2F 00 00 00 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5; byte_extract:2,6,mid,relative,little; content:"|FF 00|"; within:2; distance:1; byte_test:2,=,mid,2,relative,little; content:"|04 00|"; within:2; distance:12; byte_test:2,>,65000,0,relative,little; byte_test:2,>,500,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41984; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_server,established; file_data; content:"|8D 4C 24 60 48 8B D0 41 B9 4F 00 00 00 48 89 7C 24 28 C7 44 24 20 06 00 00 00 FF 15 47 FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41610; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_client,established; file_data; content:"|8D 4C 24 60 48 8B D0 41 B9 4F 00 00 00 48 89 7C 24 28 C7 44 24 20 06 00 00 00 FF 15 47 FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41609; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A FF 6A 00 6A 04 B8|"; content:"|25 00 F0 FF FF 83 E8 04 50 6A 06 B8|"; within:16; distance:4; content:"|6A 4F 83 E8 40 50 FF|"; content:"|50|"; within:1; distance:5; content:"|50 FF|"; within:2; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41608; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A FF 6A 00 6A 04 B8|"; content:"|25 00 F0 FF FF 83 E8 04 50 6A 06 B8|"; within:16; distance:4; content:"|6A 4F 83 E8 40 50 FF|"; content:"|50|"; within:1; distance:5; content:"|50 FF|"; within:2; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-017; classtype:attempted-user; sid:41607; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 01 68 EC BF EB 0A 8B|"; content:"|50 FF|"; within:2; distance:2; content:"|50 68 E6 22 69 F9 68 00 10 00 00 68 3B 1C 7B AA 8B|"; within:100; content:"|51 68 FF FF FF 7F 6A 00 8B|"; within:9; distance:2; content:"|52 FF|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0047; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41592; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 01 68 EC BF EB 0A 8B|"; content:"|50 FF|"; within:2; distance:2; content:"|50 68 E6 22 69 F9 68 00 10 00 00 68 3B 1C 7B AA 8B|"; within:100; content:"|51 68 FF FF FF 7F 6A 00 8B|"; within:9; distance:2; content:"|52 FF|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0047; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41591; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows DirectComposition double free attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtDCompositionProcessChannelBatchBuffer"; fast_pattern:only; content:"NtDCompositionCreateChannel"; nocase; content:"|C7 01 0B 00 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0024; reference:cve,2017-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41580; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectComposition double free attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtDCompositionProcessChannelBatchBuffer"; fast_pattern:only; content:"NtDCompositionCreateChannel"; nocase; content:"|C7 01 0B 00 00 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0024; reference:cve,2017-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-018; classtype:attempted-admin; sid:41579; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIiEQYJKoZIhvcNAQcCoIIiAjCCIf4CA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41572; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIarQYJKoZIhvcNAQcCoIIanjCCGpoCA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41571; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_server,established; file_data; content:"Begin signature block"; content:"MIIa4AYJKoZIhvcNAQcCoIIa0TCCGs0C"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41570; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIiEQYJKoZIhvcNAQcCoIIiAjCCIf4CA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41569; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIarQYJKoZIhvcNAQcCoIIanjCCGpoCA"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41568; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Device Guard code execution attempt"; flow:to_client,established; file_data; content:"Begin signature block"; content:"MIIa4AYJKoZIhvcNAQcCoIIa0TCCGs0C"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41567; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|50 00 00 00|"; within:150; byte_extract:4,36,cxSrc,relative,little; byte_test:4,<,cxSrc,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-recon; sid:41596; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|50 00 00 00|"; within:150; byte_extract:4,36,cxSrc,relative,little; byte_test:4,<,cxSrc,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-011; classtype:attempted-recon; sid:41595; rev:5;) # alert icmp $HOME_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft ICMPv6 mismatched prefix length and length field denial of service attempt"; itype:134; icode:0; content:"|03 04|"; depth:2; offset:12; content:"|18 02|"; within:2; distance:30; byte_test:1,<,0x41,0,relative; reference:cve,2013-3183; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-065; classtype:denial-of-service; sid:27624; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-WINDOWS Microsoft Windows TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|"; within:497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Vista SMB2 zero length write attempt"; flow:established, to_server; isdataat:!4; content:"|00 80 00 00|"; depth:4; reference:cve,2011-1267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-048; classtype:attempted-admin; sid:20132; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_client,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:26922; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26069; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppsx&file.zip; file_data; content:"uuid:48fd9e68-0958-11dc-9770-9797abb443b9"; fast_pattern:only; content:"2007-05-23T15:06:10-03:00"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26068; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_server,established; flowbits:isset,file.docm|file.docx|file.ppsx|file.pptx|file.xlsx; flowbits:isset,file.zip; file_data; content:"mx5a0ecw|21|9jX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26067; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; flowbits:isset,file.docm|file.docx|file.ppsx|file.pptx|file.xlsx; flowbits:isset,file.zip; file_data; content:"mx5a0ecw|21|9jX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:26066; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request"; flow:to_server,established; content:"/RDWeb/Pages/en-US/login.aspx"; fast_pattern:only; http_uri; content:"ReturnUrl="; nocase; http_client_body; pcre:"/(^|&)ReturnUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3C|%3E|%28|%29|%73%63%72%69%70%74|%6f%6e%6c%6f%61%64|%73%72%63|script|onload|src)/Pi"; metadata:service http; reference:cve,2011-1263; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-061; classtype:web-application-attack; sid:25567; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS NVIDIA graphics driver nvsr named pipe buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:10; content:"|5C 00|n|00|v|00|s|00|r"; within:9; distance:49; metadata:service netbios-ssn; classtype:attempted-user; sid:25369; rev:7;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft .NET fully qualified System.Data.dll assembly name exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"S|00|y|00|s|00|t|00|e|00|m|00|.|00|D|00|a|00|t|00|a|00|.|00|d|00|l|00|l|00|,|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:attempted-user; sid:24656; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft .NET fully qualified System.Data.dll assembly name exploit attempt"; flow:to_server,established; content:"|2F|System.Data.dll,"; nocase; http_uri; metadata:service http; reference:cve,2012-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:attempted-user; sid:24655; rev:1;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13|"; byte_extract:1,0,namelen,relative; content:"|00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24490; rev:3;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 0C|"; byte_extract:1,0,namelen,relative; content:"|00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24489; rev:3;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI common name spoofing attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 1E|"; byte_extract:1,0,namelen,relative; content:"|00 00|"; within:namelen; metadata:service ssl; reference:cve,2009-2510; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:misc-attack; sid:24488; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,993,995] (msg:"OS-WINDOWS PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02 BD 00 01 00 01 00 16 8F|"; depth:10; offset:2; byte_test:2,>,32768,0,relative; metadata:service smtp, service ssl; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:24401; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"|2A 86 48 82 F7 12 01 02 02|"; fast_pattern; content:"|2A 86 48 86 F7 12 01 02 02|"; within:9; distance:2; content:"|2B 06 01 04 01 82 37 02 02|"; within:9; distance:2; metadata:service netbios-ssn; reference:cve,2012-2551; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-069; classtype:attempted-dos; sid:24360; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"scc.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24137; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"diff.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24136; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"view.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24135; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"ann.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24134; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"QE.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24133; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"build.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24132; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; content:"Q.aspx"; nocase; http_uri; content:"name="; distance:0; nocase; http_uri; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24131; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft SCCM ReportChart xss attempt"; flow:to_server,established; content:"/ReportChart.asp?"; nocase; http_uri; content:"ReportID="; nocase; http_uri; pcre:"/[?&]ReportID=\d+?&[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-2536; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-062; classtype:web-application-attack; sid:24128; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV invalid character argument injection attempt"; flow:to_client,established; flowbits:isset,ms.webdav.propfind; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft WebDAV PROPFIND request"; flow:to_server,established; content:"PROPFIND"; http_method; content:"User-Agent: Microsoft-WebDAV"; fast_pattern:only; http_header; flowbits:set,ms.webdav.propfind; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24089; rev:6;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|C0 0C 00 23 00 01|"; offset:16; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; byte_jump:1,10,relative; byte_jump:1,0,relative; byte_test:1,>,0x7f,0,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:23951; rev:4;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|C0 0C 00 23 00 01|"; offset:16; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; byte_test:1,>,0x7f,10,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:23950; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows Terminal server RDP freed memory write attempt"; flow:to_server,established; content:"|7F 65 82 01 94 04 01 01 04 01 01|"; fast_pattern; byte_test:4,>,0x22,7,relative; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:1024; isdataat:512,relative; pcre:"/^\x00{512}/R"; metadata:policy security-ips drop, service rdp; reference:cve,2012-2526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-053; classtype:attempted-admin; sid:23846; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET [138,139] (msg:"OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00 00|"; distance:11; content:"|FF|SMB%|00 00 00 00|"; within:9; distance:68; content:"|5C|MAILSLOT|5C|BROWSE|00 01|"; within:18; distance:60; content:"%"; within:16; distance:5; content:"|5C|MAILSLOT|5C|BROWSE|00 01|"; depth:18; offset:151; pcre:"/^.{5}[^\x00]*?\%(\d+\x24)?(\d+)?[nxcsd][^\x00]*?\x00/smiR"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1851; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:23837; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET [2300:2400] (msg:"OS-WINDOWS Microsoft Windows DirectX IDirectPlay4 denial of service attempt"; flow:to_server; content:"play"; depth:4; content:"|2D 00 0B 00|"; within:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:!"|18 00 00 00|"; within:4; reference:cve,2004-0202; classtype:attempted-dos; sid:23437; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2300:2400] (msg:"OS-WINDOWS Microsoft Windows DirectX IDirectPlay4 denial of service attempt"; flow:to_server,established; content:"play"; depth:4; content:"|2D 00 0B 00|"; within:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:!"|18 00 00 00|"; within:4; reference:cve,2004-0202; classtype:attempted-dos; sid:23436; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows large image resize denial of service attempt"; flow:to_client,established; file_data; content:" any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:23233; rev:4;) # alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 01|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:23232; rev:4;) # alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; content:"|0C|"; distance:0; byte_test:1,>,150,0,relative; isdataat:150,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:23231; rev:4;) # alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 03|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,60,0,relative; content:"|01|"; within:1; distance:1; isdataat:60,relative; content:"|0C|"; distance:0; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0899; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-dos; sid:23230; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|l|00|a|00|n|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1849; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23163; rev:6;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"n|00|c|00|r|00|y|00|p|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1849; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23162; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET framework malicious XBAP attempt"; flow:to_client,established; file_data; content:"PublicKeyToken=b77a5c561934e089"; fast_pattern:only; content:"System.Collections.Generic.ICollection.get_Count"; content:"TryGetGlyphTypeface|00|Exception|00|WindowsBase|00|Point|00|GlyphRun|00|IList|60 31 00|"; distance:0; content:"ComputeInkBoundingBox"; distance:0; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0162; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-034; classtype:attempted-user; sid:22090; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft .NET framework EvidenceBase class remote code execution attempt"; flow:to_client,established; file_data; content:"|00|"; content:"|00|MyEvidence|00|MyAssembly|00|De"; within:25; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0160; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-035; classtype:attempted-user; sid:22079; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; file_data; content:"HTTP t_"; depth:7; content:"|0D 0A|"; within:2; distance:148; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:21754; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wintab32.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-022; classtype:attempted-user; sid:21567; rev:7;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|i|00|n|00|t|00|a|00|b|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-022; classtype:attempted-user; sid:21566; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|00 00 00 16 00 56 05 07 00 04 01 00 00 00 00|"; within:15; distance:60; isdataat:564,relative; content:!"|00 00|"; within:564; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:attempted-admin; sid:21529; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt"; flow:to_server,established; file_data; content:"|6C 74 01 00|"; depth:4; byte_test:4,<,60,0,relative,little; metadata:service smtp; reference:cve,2011-0658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-038; classtype:attempted-user; sid:21357; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|fputlsat.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-017; classtype:attempted-user; sid:21310; rev:7;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"f|00|p|00|u|00|t|00|l|00|s|00|a|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-017; classtype:attempted-user; sid:21309; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|STI.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-5082; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,shinnai.altervista.org/exploits/SH-006-20100914.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-012; classtype:attempted-user; sid:21290; rev:10;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"|5C 00|S|00|T|00|I|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-5082; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,shinnai.altervista.org/exploits/SH-006-20100914.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-012; classtype:attempted-user; sid:21289; rev:11;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:21281; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC ISystemActivate flood attempt"; flow:to_server,established,only_stream; content:"|00|"; depth:1; offset:2; dce_iface:000001a0-0000-0000-c000-000000000046; dce_stub_data; content:"MEOW"; detection_filter:track by_src, count 100, seconds 5; metadata:service netbios-ssn; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-012; classtype:protocol-command-decode; sid:21262; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt"; flow:to_server,established; content:"|03 00 00 27 22 E0|"; fast_pattern; content:"Cookie:"; distance:0; nocase; content:"mstshash="; distance:0; nocase; content:"Cookie:"; distance:0; nocase; isdataat:129; content:!"|0D 0A|"; within:129; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:attempted-dos; sid:21089; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows remote desktop denial of service attempt"; flow:to_server,established; content:"|30|"; depth:1; content:"|03 00 00 27 22 E0|"; within:6; distance:1; content:"mstshash="; distance:0; nocase; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:attempted-dos; sid:21088; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt"; flow:to_server,established; content:"|2F|packager.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-002; classtype:attempted-user; sid:20879; rev:7;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"p|00|a|00|c|00|k|00|a|00|g|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-002; classtype:attempted-user; sid:20878; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player DirectShow MPEG-2 memory corruption attempt"; flow:to_client,established; file_data; content:"|00 03 00 00 11 20|"; depth:6; byte_test:4,>,32,0,relative; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:20744; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] (msg:"OS-WINDOWS Microsoft Windows Active Directory Crafted LDAP ModifyRequest"; flow:to_server,established; content:"0|83|"; depth:2; content:"|66 84|"; within:16; byte_test:3,>,0x0F0000,2; metadata:policy max-detect-ips drop; reference:cve,2007-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-039; classtype:attempted-admin; sid:20671; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"OS-WINDOWS Microsoft Windows RSH daemon buffer overflow attempt"; flow:to_server,established; isdataat:1032; content:"|00|"; depth:1; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; reference:cve,2007-4005; reference:cve,2007-4006; classtype:attempted-admin; sid:20603; rev:4;) # alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows IppRateLimitIcmp integer overflow exploit attempt"; icode:3; itype:3; detection_filter:track by_src,count 500,seconds 15; reference:cve,2011-2013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:20543; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Forefront UAG NLSessionS cookie overflow attempt"; flow:to_server,established; content:"NLSessionS"; pcre:"/(NLSessionS[^=\s]*)\s*=\s*\x3B.*\1\s*=[^\s\x3B]/C"; metadata:service http; reference:cve,2011-2012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-dos; sid:20272; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1478 (msg:"OS-WINDOWS Microsoft Windows Host Integration Server SNA length dos attempt"; flow:to_server; content:"|01|"; depth:1; offset:2; byte_test:2,>,16,55,little; reference:cve,2011-2007; reference:cve,2011-2008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-082; classtype:attempted-dos; sid:20271; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt"; flow:to_server,established; content:"javascript|3A|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1897; reference:cve,2012-0017; reference:cve,2015-6099; reference:cve,2016-3212; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:20258; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ForeFront UAG ExcelTable.asp XSS attempt"; flow:to_server,established; content:"ExcelTable.asp"; fast_pattern:only; http_uri; content:"tableData="; nocase; http_client_body; pcre:"/^[^\&\r\n]*[<\(][^\&\r\n]+[\)>]/R"; metadata:service http; reference:cve,2011-1896; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20257; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"OS-WINDOWS Microsoft Forefront UAG http response splitting attempt"; flow:to_server,established; content:"/ExcelTable.asp"; nocase; content:"table="; distance:0; content:"%0d%0a"; distance:0; nocase; pcre:"/table=.*\x250d\x250a.*HTTP\/1/smi"; reference:cve,2011-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20256; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|oleacc.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1247; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-075; classtype:attempted-user; sid:20254; rev:9;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt"; flow:to_server,established; content:"o|00|l|00|e|00|a|00|c|00|c|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1247; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-075; classtype:attempted-user; sid:20253; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1027:1050] (msg:"OS-WINDOWS Microsoft Windows WINS internal communications on network exploit attempt"; flow:to_server,no_stream; dsize:24; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<,2,0; detection_filter:track by_src,count 10, seconds 2; reference:cve,2011-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-070; classtype:attempted-user; sid:20120; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|deskpan.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1991; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-071; classtype:attempted-user; sid:20119; rev:9;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt"; flow:to_server,established; content:"d|00|e|00|s|00|k|00|p|00|a|00|n|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1991; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-071; classtype:attempted-user; sid:20118; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Report Viewer reflect XSS attempt"; flow:to_server,established; content:"ReportID|3D|"; nocase; http_uri; content:"ControlID|3D|"; nocase; http_uri; content:"TimerMethod|3D|"; nocase; http_uri; pcre:"/TimerMethod\x3D[^\x26]*[\x3C\x28\x22\x27]/Ui"; metadata:service http; reference:cve,2011-1976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-067; classtype:attempted-user; sid:19681; rev:4;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt"; flow:to_client; content:"|00 23 00 01|"; depth:10; offset:34; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; pcre:"/^.{28}\x00[\xff\x23]\x00\x01(.{2}|.{8})\x00\x23\x00\x01/"; byte_jump:1,10,relative; byte_jump:1,0,relative; byte_test:1,>,128,0,relative; metadata:service dns; reference:cve,2011-1966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-058; classtype:attempted-admin; sid:19677; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|bidlab.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-1975; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-059; classtype:attempted-user; sid:19674; rev:8;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt"; flow:to_server,established; content:"b|00|i|00|d|00|l|00|a|00|b|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1975; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-059; classtype:attempted-user; sid:19673; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request"; flow:to_server,established; content:"/RDWeb/Pages/en-US/login.aspx"; fast_pattern:only; http_uri; content:"ReturnUrl="; nocase; http_uri; pcre:"/[?&]ReturnUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2011-1263; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-061; classtype:web-application-attack; sid:19665; rev:10;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft invalid message kernel-mode memory disclosure attempt"; flow:to_client,established; file_data; content:"|79 29 00 00 E9 D8 38 00 00 E9 E0 11 00 00 E9 5E 72 00 00 E9 99 71 00 00 E9 47 31 00 00 E9 55 6E 00 00 E9 A9 57 00 00 E9 CC 37 00 00 E9 AB 9C 00|"; fast_pattern:only; metadata:service http; reference:cve,2011-1886; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19469; rev:6;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft stale data code execution attempt"; flow:to_client,established; file_data; content:"|00 74 02 EB 19 68 00 B0 40 00 E8 1E 01 00 00 83 C4 04 8B 4D 08 51 FF 15 BC CA 40 00 EB 18 8B 55 14 52 8B 45 10 50 8B 4D 0C 51 8B 55 08 52 FF 15|"; fast_pattern:only; metadata:service http; reference:cve,2011-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19468; rev:6;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|00 74 02 EB 19 68 00 B0 40 00 E8 28 01 00 00 83 C4 04 8B 4D 08 51 FF 15 14 81 40 00 EB 18 8B 55 14 52 8B 45 10 50 8B 4D 0C 51 8B 55 08 52 FF 15|"; fast_pattern:only; metadata:service http; reference:cve,2011-1874; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-054; classtype:attempted-user; sid:19467; rev:6;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Visio mfc71 dll-load attempt"; flow:to_server,established; content:"m|00|f|00|c|00|7|00|1|00|"; fast_pattern; nocase; content:".|00|d|00|l|00|l|00|"; within:14; nocase; metadata:service netbios-ssn; reference:cve,2010-3148; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-055; classtype:attempted-user; sid:19465; rev:10;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft CSRSS integer overflow attempt"; flow:to_client,established; file_data; content:"|66 89 4D E6 C7 45 E0 00 00 00 80 8D 55 E0 52 8B 45 E4 50 68 00 00 00 80 8D 4D F8 51 8B 55 DC 52|"; fast_pattern:only; metadata:service http; reference:cve,2011-1870; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19464; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS double free attempt"; flow:to_client,established; file_data; content:"|4A 10 33 C0 8B 4D FC 66 89 41 16 33 D2 8B 45 FC 66 89 50 12 8B 4D FC C7 41 0C 11 14 14 14 6A 1C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19463; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS negative array index code execution attempt"; flow:to_client,established; file_data; content:"|45 E0 00 80 00 00 C7 45 E4 0A 00 00 00 C7 45 E8 00 00 00 00 8B F4 8D 45 DC 50 FF 15 A8 81 41 00 3B F4 E8 3A FD FF FF 89 45 F4 8B F4 FF 15 A4 81|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19462; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt"; flow:to_client,established; file_data; content:"|74 02 EB 19 68 00 00 01 00 0F B7 45 EC 50 68 D0 F0 42 00 E8 DA F3 FF FF 83 C4 0C EB A1 0F B7 45|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-056; classtype:attempted-user; sid:19461; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CSRSS multiple consoles on a single process attempt"; flow:to_client,established; file_data; content:"|50 92 40 00 E8 8E 04 00 00 83 C0 40 50 E8 F9 03 00 00 83 C4 0C 6A 01 E8 87 03 00 00 68 9C 92 40|"; fast_pattern:only; metadata:service http; reference:cve,2011-1281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-056; classtype:attempted-user; sid:19460; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Visual Studio information disclosure attempt"; flow:to_client,established; file_data; content:"\w+)\s+SYSTEM\s+\x22[a-zA-Z]\x3A\x5C.*?\x3C\x21ENTITY\s+\w+\s+SYSTEM\s+\x22[hH][tT]{2}[pP]\x3A\x2f{2}[^\x22]*\x3D\x26(?P=name)/s"; metadata:service http; reference:cve,2011-1280; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-049; classtype:misc-attack; sid:19234; rev:6;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Smb2Create_Finalize malformed EndOfFile field exploit attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; nocase; content:"|05 00|"; within:2; distance:6; content:"|59 00|"; within:2; distance:50; byte_test:1,>,0x80,53,relative; metadata:service netbios-ssn; reference:cve,2011-1268; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-043; classtype:attempted-admin; sid:19199; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB2 zero length write attempt"; flow:established, to_server; content:"|FE|SMB|40 00|"; nocase; content:"|09 00|"; within:8; content:"|00 00 00 00|"; within:4; distance:54; reference:cve,2011-1267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-048; classtype:attempted-admin; sid:19191; rev:6;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; byte_test:2,>,0x28,26,little,relative; metadata:service netbios-ssn; reference:cve,2011-1868; reference:cve,2011-1869; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:19188; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET ArraySegment escape exploit attempt"; flow:to_client,established; file_data; content:"|00 6E 00 6E 00 6F 00 63 00 65 00 6E 00 74 00 41 00 72 00 72|"; fast_pattern:only; metadata:service http; reference:cve,2011-0664; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-039; classtype:attempted-user; sid:19185; rev:6;) # alert udp $HOME_NET any -> $HOME_NET [138,139] (msg:"OS-WINDOWS Microsoft Windows 2003 browser election remote heap overflow attempt"; content:"|5C|MAILSLOT|5C|"; nocase; content:"|00 08|"; distance:0; pcre:"/\x5cMAILSLOT\x5c[^\x00]*\x00\x08.{13}[^\x00]{56}/si"; reference:bugtraq,46360; reference:cve,2011-0654; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-019; classtype:attempted-admin; sid:18994; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; content:"HTTP 4|0A|"; depth:7; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:18962; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft WINS service oversize payload exploit attempt"; flow:to_server,established,no_stream; dsize:>1400; reference:cve,2011-1248; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-035; classtype:attempted-admin; sid:18950; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows AFD.SYS null write attempt"; flow:to_client,established; file_data; content:"|6A 18 50 68 AB 80 40 00 89 BD B0 FC FF FF 89 B5 B8 FC FF FF|"; fast_pattern:only; metadata:service http; reference:cve,2011-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-046; classtype:attempted-admin; sid:18691; rev:8;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|1|00|0|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18629; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|9|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18628; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|8|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18627; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|4|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18626; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|f|00|c|00|4|00|0|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18625; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET framework optimizer escalation attempt"; flow:to_client,established; file_data; content:"|00|Program|00|Big|00|Misaligned|00|"; nocase; metadata:service http; reference:cve,2010-3958; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-028; classtype:attempted-user; sid:18624; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc100.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18623; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc90.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18622; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc80.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18621; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc42.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18620; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc40.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3190; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-025; classtype:attempted-user; sid:18619; rev:10;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"i|00|a|00|c|00|e|00|n|00|c|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,42730; reference:cve,2010-3138; reference:cve,2010-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-014; classtype:attempted-user; sid:18532; rev:10;) # alert udp $HOME_NET 138 -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows 2003 browser election remote heap overflow attempt"; content:"|5C|MAILSLOT|5C|BROWSER|00 08 09|"; content:"|00 00 00 00|"; within:4; distance:8; isdataat:15,relative; content:!"|00|"; within:15; reference:bugtraq,46360; reference:cve,2011-0654; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-019; classtype:attempted-admin; sid:18462; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0090; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18413; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt"; flow:to_client,established; file_data; content:"|74 00 00 00 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 0A 4E 6F|"; fast_pattern:only; metadata:service http; reference:cve,2011-0045; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-011; classtype:attempted-admin; sid:18408; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Hypervisor OS-WINDOWS vfd download attempt"; flow:to_client,established; file_data; content:"|29 66 3A E1 58 4E 4F 20 4E 41 4D 45 20 20 20 20 46 41 54 31 32 20 20 20 6A 00|"; fast_pattern:only; metadata:service http; reference:cve,2010-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-010; classtype:attempted-admin; sid:18396; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS association context validation overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; content:"|00 E4 FF 58|"; depth:4; offset:16; metadata:service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:18320; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:25; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:18315; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; depth:2; byte_test:2,>,5,0,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:26; metadata:service dcerpc, service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:18267; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; byte_test:2,>,5,0,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:26; metadata:service dcerpc; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:18266; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Fax Services Cover Page Editor overflow attempt"; flow:to_client,established; file_data; content:"FAXCOVER-VER005w"; nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|"; within:100; fast_pattern; metadata:service http; reference:url,www.vupen.com/english/advisories/2010/3327; classtype:attempted-user; sid:18246; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|s|00|f|00|e|00|r|00|r|00|o|00|r|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18227; rev:14;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|i|00|n|00|i|00|e|00|t|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18226; rev:15;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|m|00|e|00|r|00|r|00|o|00|r|00|e|00|n|00|u|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18225; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|asferrorenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18224; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|winietenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18223; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wmerrorenu.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:18222; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS NETAPI RPC interface reboot attempt"; flow:established, to_server; dce_iface:12345678-1234-ABCD-EF00-01234567CFFB; dce_opnum:29; dce_stub_data; content:"|00 00|"; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:30; pcre:"/\x00\x00.{30}\x01\x00{7}$/"; metadata:service netbios-ssn; reference:cve,2010-2742; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-101; classtype:attempted-user; sid:18215; rev:8;) # alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt"; flow:to_client,established; content:"h|00|h|00|c|00|t|00|r|00|l|00|.|00|o|00|c|00|x|00|"; nocase; metadata:service netbios-ssn; reference:cve,2010-3967; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-093; classtype:attempted-user; sid:18211; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt"; flow:to_server,established; content:"|2F|hhctrl.ocx"; nocase; http_uri; metadata:service http; reference:cve,2010-3967; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-093; classtype:attempted-user; sid:18210; rev:9;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt"; flow:to_server,established; content:"p|00|e|00|e|00|r|00|d|00|i|00|s|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3966; reference:cve,2011-2019; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:18209; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|peerdist.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3966; reference:cve,2011-2019; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:18208; rev:13;) # alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Address Book smmscrpt.dll malicious DLL load"; flow:to_client,established; content:"s|00|m|00|m|00|s|00|c|00|r|00|p|00|t|00|.|00|d|00|l|00|l|00|"; nocase; metadata:service netbios-ssn; reference:cve,2010-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-097; classtype:attempted-user; sid:18203; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book smmscrpt.dll malicious DLL load"; flow:to_server,established; content:"smmscrpt.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-097; classtype:attempted-user; sid:18202; rev:9;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt"; flow:to_client,established; dsize:4; content:"|00 00 00 01|"; depth:4; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:18195; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|com"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?([\x25\x22]\x2Ecom|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18173; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|cmd"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ecmd((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18172; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|bat"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ebat((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:cve,2007-5020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:18171; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Forefront UAG URL XSS attempt"; flow:to_server, established; content:"|2F|m|2F|default|2E|aspx"; fast_pattern; nocase; http_uri; content:"orig_url="; nocase; http_uri; pcre:"/orig_url=[^\x26]*[\x22\x27\x28\x29\x3C\x3E]/Ui"; metadata:service http; reference:cve,2010-2734; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18074; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG arbitrary embedded scripting attempt"; flow:to_server,established; content:"|2E|asp|3F|"; nocase; http_uri; content:"ONMOUSEOVER|3D 27|"; nocase; http_uri; metadata:service http; reference:cve,2010-2733; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-user; sid:18073; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG external redirect attempt"; flow:to_server,established; content:"|2F|redir|2E|asp|3F|"; nocase; http_uri; content:"TARGET|3D|"; nocase; http_uri; content:"Host|3A|"; http_header; pcre:"/\x2fredir\x2easp\x3f[^\s]*TARGET\x3d(\w{3,6}\x3a\x2f\x2f)?[^\x26\x3d\x2f\x20]*([a-z0-9\x2d]+\x2e[a-z0-9\x2d]+)[\x2f\x20\x26].*^Host\x3a/Osmi"; isdataat:10,relative; pcre:!"/\x2fredir\x2easp\x3f[^\s]*TARGET\x3d(\w{3,6}\x3a\x2f\x2f)?[^\x26\x3d\x2f\x20]*([a-z0-9\x2d]+\x2e[a-z0-9\x2d]+)[\x2f\x20\x26].*^Host\x3a[^\n]*\1/Osmi"; metadata:service http; reference:cve,2010-2732; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:policy-violation; sid:18072; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows embedded web font handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|53 51 86 A4 50 1D CD 50 3B D5 D0 6C E3 D5 19 36 A5 55 34 63 7A 7B B1 04 1D E7 EF 6A 69 49 8A 54 D1 73 FD 0C F7 02 5E FA 70 4E E8 68 94 FF 14 1E DC 80 7B 58 96 D0 4A 7C DF F0 5C F0 50 88 73 8D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16194; reference:cve,2006-0010; classtype:attempted-user; sid:17626; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17468; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_client,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*[\x22\x27][a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:17467; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Jet DB Engine Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB"; depth:19; nocase; content:"P|00|a|00|r|00|e|00|n|00|t|00|I|00|d|00|n|00|a|00|m|00|e|00|"; distance:0; fast_pattern; nocase; byte_test:2,>,0x0F,0,relative,little; content:!"|FF FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12960; reference:cve,2005-0944; classtype:attempted-user; sid:17413; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; file_data; content:"bXYZ"; content:"gXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; content:"bXYZ"; within:4; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17349; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt"; flow:to_client,established; file_data; content:"gXYZ"; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14214; reference:cve,2005-1219; classtype:attempted-user; sid:17348; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Folder GUID Code Execution attempt"; flow:to_client,established; file_data; content:".|7B|3050F4D8-98B5-11CF-BB82-00AA00BDCE0B|7D|"; fast_pattern:only; pcre:"/\x252e\x252e\x255c[^\s\x2e]*?\x2e\x7B3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\x7d/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19389; reference:cve,2006-3281; classtype:attempted-user; sid:17316; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"OS-WINDOWS Microsoft Windows LSASS integer overflow attempt"; flow:to_server,established; content:"|6D 64 DE A8 E3 21 30 84 FF FF FF F9 02 01 04 63 84 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ldap; reference:cve,2010-0820; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-068; classtype:attempted-user; sid:17249; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player skin decompression code execution attempt"; flow:to_client,established; file_data; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25307; reference:cve,2007-3035; classtype:attempted-user; sid:17228; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt"; flow:established, to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:2,<,12,34,relative,little; content:"|03 00|"; within:2; distance:56; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2010-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-054; classtype:attempted-admin; sid:17125; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC rpcss2 _RemoteGetClassObject attempt"; content:"|5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 34 00|"; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-user; sid:17112; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDIplus integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:"|20|EMF"; within:4; distance:36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:misc-activity; sid:16679; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt"; flow:established, to_client; file_data; content:"HMACOutputLength"; fast_pattern:only; content:"SignatureMethod"; nocase; pcre:"/<\s*(ds:)?HMACOutputLength\s*>\s*\d\s*<\/\s*(ds:)?HMACOutputLength\s*>/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-041; classtype:misc-attack; sid:16636; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:16578; rev:7;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt"; flow:to_client,established; flowbits:isset,smb.query_sec_desc; flowbits:unset,smb.query_sec_desc; content:"|FF|SMB|A0 05 00 00 80|"; depth:9; offset:4; isdataat:24,relative; byte_jump:1,23,relative, multiplier 2; content:"|00|"; within:1; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2010-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:16539; rev:7;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2"; flow:to_client,established; dsize:4; content:"|00 00 00 9A|"; depth:4; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16454; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows embedded OpenType font engine LZX decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"|DE 0D 00 00 82 0C 00 00 02 00 02 00 E5|"; content:"|53 50 13 80 50 59 53 50 5B 7C D0 55 FD 06 58 94 D3 E3 98 7C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,37671; reference:cve,2010-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-001; classtype:attempted-admin; sid:16366; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ TIFF RLE compressed data buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|"; distance:0; content:"P|DC 9A 86 E4 D4|7&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7"; fast_pattern:only; metadata:service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16327; rev:7;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt"; flow:to_client,established; content:"|00 00 00 9A FE|SMB"; depth:8; isdataat:126,relative; content:"|1E 00| LM `|1C|"; within:8; distance:118; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16287; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt"; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_jump:4,8,multiplier 2,dce; byte_test:4,>,256,16,relative,dce; metadata:service netbios-dgm; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; classtype:attempted-admin; sid:16239; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:to_server,established; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_jump:4,8,multiplier 2,dce; byte_test:4,>,256,16,relative,dce; metadata:service netbios-ssn; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; classtype:attempted-admin; sid:16238; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt"; flow:to_server,established; seq:3927875496; flags:R; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34414; reference:cve,2009-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-dos; sid:16221; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows GDI+ compressed TIFF file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"II*|00|"; content:"|03 01 03 00 01 00 00 00 04 00 00 00|"; distance:0; content:"&|A1 B9|5|0D C9 A8|nMCrj|1B 93|P|DC 9A 86 E4 D4|7&|A1 B9|"; distance:0; metadata:service http; reference:cve,2009-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16185; rev:7;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CryptoAPI ASN.1 integer overflow attempt"; flow:to_client,established; content:"|55 04|"; content:"|80 80 80 03 0C|"; within:20; metadata:service ssl; reference:cve,2009-2511; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-056; classtype:attempted-user; sid:16181; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS Microsoft Windows SMBv2 integer overflow denial of service attempt"; flow:to_server, established; content:"|FE|SMB|40 00|"; isdataat:1000; content:"|00 00 00 00 0B 00|"; within:6; distance:2; content:"|94 01 06 00|"; within:4; distance:54; fast_pattern; byte_test:4,>,61440,20,relative,little; metadata:service netbios-ssn; reference:cve,2009-2526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-admin; sid:16168; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS Microsoft Windows LSASS integer wrap denial of service attempt"; flow:to_server, established; content:"|05|"; content:"|10|"; within:1; distance:1; content:"|0A 04|"; within:2; distance:17; content:"NTLMSSP|00 03 00 00 00|"; within:12; distance:6; content:!"|00 00|"; within:2; distance:8; byte_test:2, <, 48, 8, relative, little; metadata:service netbios-ssn; reference:cve,2009-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-059; classtype:attempted-dos; sid:16167; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_client,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:16157; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"OS-WINDOWS MS-SQL convert function unicode overflow"; flow:to_server,established; content:"S|00|E|00|L|00|E|00|C|00|T|00| |00|C|00|O|00|N|00|V|00|E|00|R|00|T|00 28 00|v|00|a|00|r|00|c|00|h|00|a|00|r|00|,|00|c|00|r|00|e|00|a|00|t|00|e|00|d|00|a|00|t|00|e|00|,|00|1|00|2|00|3|00|4|00|5|00|6|00|7|00|8|00|9|00|0|00 29 00| |00|F|00|R|00|O|00|M|00| |00|s|00|y|00|s|00|u|00|s|00|e|00|r|00|s"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:16073; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Negotiate SSP buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20; nocase; http_header; content:"YIIAEwYGKwYBBQUCoAkwB6EFIwMDAQc=|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,10113; reference:cve,2004-0119; classtype:attempted-admin; sid:15996; rev:8;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft ISA Server DNS spoofing attempt"; flow:to_client; content:"|C0 0C 00 0C 00 01 00 01|Q|80 00 0F 03|www|05|yahoo|03|com|00|"; metadata:service dns; reference:bugtraq,11605; reference:cve,2004-0892; classtype:misc-attack; sid:15988; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt"; flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:service http; reference:bugtraq,11342; reference:cve,2004-0847; classtype:attempted-user; sid:15985; rev:7;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Explorer long share name buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 00 F5 01 00 00 00 00 00 00 F5 01 00 00|A|00|A|00|A|00|A|00|A|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,10213; reference:cve,2004-0214; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-037; classtype:attempted-user; sid:15965; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows javascript arguments keyword override rce attempt"; flow:to_client,established; file_data; content:"function arguments"; fast_pattern:only; pcre:"/function arguments\s*\x28\s*\x29\s*\x7b/"; metadata:service http; reference:cve,2009-1920; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-045; classtype:attempted-user; sid:15913; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Color Management Module remote code execution attempt"; flow:to_client,established; file_data; content:"|11 11 12 12 12 0B 0D 14 15 14 12 15 10 12 12 11 01 03 03 03 04 03 04 08 04 04 08 11 0B 0A 0B 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 FF C4 01 A2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2005-1219; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-016; classtype:attempted-admin; sid:15894; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS replication inform2 request memory corruption attempt"; flow:to_server,established; content:"|00 00 00 03 00 00 00 09|"; depth:8; offset:12; byte_test:4,>,65535,0,relative,big; metadata:policy max-detect-ips drop, service netbios-ns; reference:cve,2009-1924; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-039; classtype:attempted-admin; sid:15849; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt"; flow:to_server; content:"0|17 A0 03 02 01 02 A1 10|0|0E 1B 06|krbtgt|1B 04|A123"; content:"|0F|n|FB C0|"; distance:0; metadata:service kerberos; reference:cve,2004-0540; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-user; sid:15701; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product snews uri handling code execution attempt"; flow:to_client,established; file_data; content:"snews|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:15684; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt"; flow:to_client,established; file_data; content:"AAAAAAAA|00 00 00|0stts|04 00 00 00|"; metadata:service http; reference:cve,2009-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15680; rev:7;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows srvsvc NetrShareEnum netname overflow attempt"; flow:to_client,established; content:"y|06 00 00 00 00 00 00|y|06 00 00|A|00|A|00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-0228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; classtype:protocol-command-decode; sid:15523; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; byte_test:2,>,5,0,dce,relative; byte_test:4,!=,0,26,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:38; metadata:service dcerpc; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:15513; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3; dce_stub_data; content:"|05 00|"; depth:2; byte_test:2,>,5,0,dce,relative; byte_test:4,!=,0,26,dce,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:38; metadata:service dcerpc, service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:15512; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows ISA Server cross-site scripting attempt"; flow:to_server,established; content:"CookieAuth.dll"; nocase; http_uri; content:"GetLogonRedir"; distance:0; fast_pattern; nocase; http_uri; content:"formdir="; distance:0; nocase; http_uri; content:"reason="; nocase; http_uri; pcre:"/reason=[^\r\n\x26]+(alert|script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/iU"; metadata:service http; reference:cve,2009-0237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-user; sid:15475; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DirectShow MJPEG arbitrary code execution attempt"; flow:to_client,established; file_data; content:"LISTt|B4 08 00|movi00db@J|00 00 D0 F5|"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-011; classtype:attempted-user; sid:15457; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15227; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15226; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15225; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15224; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15223; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15222; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,29,-12,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15221; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15219; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15218; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15217; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15216; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15215; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15214; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15213; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,<,30,-26,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15212; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15211; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15210; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15209; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15208; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15207; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15206; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15205; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,69,-27,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15204; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15203; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15202; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15201; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15200; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15199; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15198; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|01 00|"; within:2; distance:37; byte_test:4,<,54,-19,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-4834; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-001; classtype:protocol-command-decode; sid:15197; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15142; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15141; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15140; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15139; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15138; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15137; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15136; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt"; flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15135; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15134; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15133; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15132; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15131; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15130; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15129; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15128; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt"; flow:to_server,established; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:service netbios-ssn; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15127; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt"; flow:to_client,established; file_data; content:"file|3A 2F 2F 5C 5C|"; nocase; pcre:"/file\x3A\x2F\x2F\x5C\x5C[^\s\x22\x27]{234}/smi"; metadata:service http; reference:cve,2008-4259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15115; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; pcre:"/^.{28}(\x00\x1f|\x00\x20)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14896; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067; classtype:attempted-admin; sid:14783; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:1; dce_stub_data; isdataat:16; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-3479; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-065; classtype:attempted-admin; sid:14726; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14654; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14653; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14652; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|81|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14651; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14650; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14648; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|81|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4000,5,little,relative; metadata:policy max-detect-ips drop, service netbios-dgm; reference:cve,2008-4038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-063; classtype:protocol-command-decode; sid:14647; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows print spooler little endian DoS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; content:"b|00|l|00|a|00|h|00|_|00|b|00|l|00|a|00|h|00|"; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13594; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt"; flow:to_client,established; file_data; content:""; fast_pattern; nocase; isdataat:520,relative; content:!""; within:520; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-007; classtype:attempted-user; sid:13474; rev:11;) # alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows vbscript/jscript scripting engine begin buffer overflow attempt"; flow:to_client,established; content:"VBScript.Encode"; content:"|23|@~^"; distance:0; isdataat:6,relative; content:!"="; within:1; distance:6; metadata:policy max-detect-ips drop; reference:cve,2008-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-022; classtype:attempted-user; sid:13448; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|exe"; within:500; nocase; pcre:"/mailto\x3A[^\n\s]*?(\x2Eexe((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13272; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product telnet uri handling code execution attempt"; flow:to_client,established; file_data; content:"telnet|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13271; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product news uri handling code execution attempt"; flow:to_client,established; file_data; content:"news|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13270; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Multiple product nntp uri handling code execution attempt"; flow:to_client,established; file_data; content:"nntp|3A|"; nocase; pcre:"/^[^\n\s]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:13269; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt"; flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; reference:cve,2007-5351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-063; classtype:attempted-admin; sid:12947; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt"; flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; metadata:service netbios-ssn; reference:cve,2007-5351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-063; classtype:attempted-admin; sid:12946; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; file_data; content:"|22|.bat"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2Ebat/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:12687; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows URI External handler arbitrary command attempt"; flow:to_client,established; content:"%00%00"; pcre:"/(mailto|telnet|news|nntp|snews)\x3A%00%00/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-061; classtype:attempted-user; sid:12643; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS RPC NTLMSSP malformed credentials"; flow:to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; metadata:policy max-detect-ips drop; reference:cve,2007-2228; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-058; classtype:denial-of-service; sid:12642; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 2000 Kodak Imaging large offset malformed jpeg tables"; flow:to_client,established; file_data; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, >, 32767, 2, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12632; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 2000 Kodak Imaging small offset malformed jpeg tables"; flow:to_client,established; file_data; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, =, 0, 2, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12631; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Visual Studio Crystal Reports RPT file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|FE FF|"; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; within:16; distance:26; content:!"|01 00 00 00|"; within:4; distance:-20; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-052; reference:url,www.lssec.com/advisories/LS-20061102.pdf; classtype:attempted-user; sid:12463; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:50; fast_pattern; nocase; http_header; pcre:"/^Authorization\x3a\s*Negotiate\s*((YE4G.{40}LgMc)|(YIIQ.{40}(QUFB|hAJ9|n5Bh|ST0k)))/smiH"; metadata:service http; reference:bugtraq,9633; reference:cve,2003-0818; reference:cve,2005-1935; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:12058; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:5; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,28,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11843; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; isdataat:24; content:!"|00 00 00 02|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:16; byte_test:4,>,276,0,relative; metadata:service wins; reference:bugtraq,11922; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; classtype:misc-attack; sid:11684; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP rpcss _RemoteGetClassObject attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11074; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; metadata:service netbios-ssn; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11073; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt"; flow:to_server,established; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:7; dce_stub_data; pcre:"/^.{8}(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:10603; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:to_server,established; dce_iface:2f5f6520-ca46-1067-b319-00dd010662da; dce_opnum:1; dce_stub_data; content:"E|00 00 00|"; depth:4; offset:32; byte_test:4,>,1024,-16,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9914; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt"; flow:to_client,established; file_data; content:"recolorinfo"; fast_pattern:only; content:"numfills"; pcre:"/recolorinfo[^>]*numfills\s*=\s*\x22/si"; byte_test:10,>,10000000,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-004; classtype:attempted-user; sid:9848; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt"; flow:to_server,established; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9769; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9643; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|40 52 D1 86 1D 31 D0 11 A3 A4 00 A0 C9 03 48 F6|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9642; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|90 08 00 33 B1 E5 CF 11 89 F4 00 A0 C9 03 49 CB|"; byte_test:4,>,715827882,36,relative,little; metadata:service http; reference:cve,2006-4702; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:9641; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"OS-WINDOWS Microsoft Agent buffer overflow attempt"; flow:to_client,established; file_data; content:"|C2 AB CD AB|"; byte_test:4,<,500,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21034; reference:cve,2006-3445; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-068; classtype:attempted-user; sid:9433; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Agent buffer overflow attempt"; flow:to_client,established; file_data; content:"|C4 AB CD AB|"; byte_test:4,<,500,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21034; reference:cve,2006-3445; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-068; classtype:attempted-user; sid:9432; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:1; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9228; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:9; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9132; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:27; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,4,relative,dce; metadata:service netbios-ssn; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8925; rev:14;) # alert udp any any -> any 53 (msg:"OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt"; flow:to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8710; rev:10;) # alert tcp any any -> any 53 (msg:"OS-WINDOWS Microsoft Windows NAT helper components tcp denial of service attempt"; flow:to_server,established; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:service dns; reference:cve,2006-5614; classtype:misc-attack; sid:8709; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt"; flow:to_server,established; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; metadata:service netbios-ssn; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8253; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt"; flow:to_server,established; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; metadata:service netbios-ssn; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8157; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow"; flow:to_server,established; content:"Location|3A|"; fast_pattern:only; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:8083; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,established; content:"NOTIFY * "; fast_pattern:only; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:8082; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC createcab.cmd cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//createcab.cmd"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7424; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC mmc.exe cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//mmc.exe"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7423; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MMC mmcndmgr.dll cross site scripting attempt"; flow:to_client,established; file_data; content:"res|3A|//mmcndmgr.dll"; metadata:service http; reference:bugtraq,19417; reference:cve,2006-3643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-044; classtype:attempted-user; sid:7422; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrPathCanonicalize overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:policy max-detect-ips drop, service netbios-dgm; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7210; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7042; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7041; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7040; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7039; rev:16;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7038; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7037; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7036; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7035; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6906; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6810; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:to_server,established; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; byte_test:4,>,34,68,dce; metadata:service netbios-ssn; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6714; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6456; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6455; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6444; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_jump:4,28,multiplier 2,post_offset 10,dce; byte_jump:4,0,relative,multiplier 2,post_offset 10,dce; byte_test:4,>,100,0,relative,dce; metadata:service dcerpc; reference:bugtraq,17906; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6443; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5738; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5737; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5736; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5735; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5734; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5733; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5732; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5731; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; metadata:service netbios-ssn; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5730; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5729; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5728; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; reference:bugtraq,13942; reference:cve,2005-1206; reference:nessus,18483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-027; classtype:protocol-command-decode; sid:5727; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5726; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5725; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5724; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5723; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5722; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5721; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5720; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5719; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; classtype:protocol-command-decode; sid:5718; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:service netbios-ssn; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5717; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:5716; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; byte_test:2,<,9,4,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16516; reference:cve,2006-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-004; classtype:attempted-admin; sid:5713; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:to_server,established; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:cve,2009-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5485; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows picture and fax viewer wmf arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16074; reference:cve,2005-4560; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-001; classtype:web-application-attack; sid:5319; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:0; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5096; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:0; metadata:service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5095; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:7; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4826; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt"; dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:service dcerpc; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4755; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt"; flow:to_server,established; dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,dce; metadata:service netbios-ssn; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4754; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt"; flow:to_server,established; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:43; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,512,4,relative,dce; metadata:service netbios-ssn; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4608; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:70; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,96,relative,dce; metadata:service netbios-ssn; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4413; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt"; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service dcerpc; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4246; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt"; flow:to_server,established; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; metadata:service dcerpc; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4245; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:53; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,32,16,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4072; rev:13;) # alert tcp $HOME_NET any -> $HOME_NET 2702 (msg:"OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt"; flow:to_server,established; content:"RCH0"; fast_pattern:only; content:"RCHE"; nocase; byte_test:2,>,131,-8,relative,little; isdataat:131,relative; reference:bugtraq,10726; reference:cve,2004-0728; classtype:attempted-user; sid:3673; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP mqqm QMDeleteObject overflow attempt"; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:9; dce_stub_data; content:"|01 00 00 00|"; depth:4; offset:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3591; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"OS-WINDOWS Microsoft Windows SSLv3 invalid data version attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:3486; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:ruleset community, service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3238; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:15; dce_stub_data; byte_test:2,>,1024,20,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218; rev:23;) # alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player directory traversal via Content-Disposition attempt"; flow:to_client,established; content:".wmz"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A|"; nocase; http_header; content:"filename="; nocase; http_header; pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset community, service http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:3192; rev:19;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3158; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:20;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:ruleset community, service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3005; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3004; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3003; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3002; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3001; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3000; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|"; depth:256; offset:12; metadata:ruleset community, service netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2936; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH"; metadata:ruleset community, service http; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024; classtype:attempted-user; sid:2589; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:21;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2383; rev:26;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2382; rev:25;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2177; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2176; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:2101; rev:23;) # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:22;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/ $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27139; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FE 01 0A 06 2D 03 00 2B 19 02 17 7D 06 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3131; reference:cve,2013-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-052; classtype:attempted-admin; sid:27136; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt"; flow:to_server,established; file_data; content:"[!] %s"; content:"[*] %s"; content:"[+] %s"; content:"[?] %s"; metadata:service smtp; reference:cve,2013-3660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-admin; sid:27231; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:27719; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows malformed shortcut file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15069; reference:bugtraq,15070; reference:cve,2005-2118; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:27718; rev:3;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt"; icode:0; itype:11; content:"|01 11|"; depth:2; offset:8; content:"|01 85|"; within:2; distance:10; detection_filter:track by_dst, count 500, seconds 1; reference:cve,2013-3868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-079; classtype:attempted-dos; sid:27860; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt"; flow:to_client,established; flowbits:isset,file.hhk; file_data; content:"|22|Local|22| value=|22|C|3A 5C|WINDOWS|5C|PCHealth|5C|malwarez6|5B|1|5D|.htm|22|"; fast_pattern:only; metadata:service http; reference:bugtraq,11467; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:28387; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt"; flow:to_client,established; flowbits:isset,file.hhk; file_data; content:"|22|Local|22| value=|22|C|3A 5C|exploit.htm|22|"; fast_pattern:only; metadata:service http; reference:bugtraq,11467; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:28386; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 8D 45 BC 50 68 80 00 00 00 8B 4D C8 51 68 00 04 00 00 8B 55 C8 52 68 C8 23 FF 8F 8B 45 D4 50 FF 15|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28872; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 89 E2 6A 00 52 68 80 00 00 00 50 68 00 04 00 00 50 68 C8 23 FF 8F 57 FF 56 08|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28871; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_server,established; file_data; content:"|5C 5C 5C 5C 2E 5C 5C|NDProxy"; fast_pattern:only; content:"DeviceIoControl"; content:"0x8fff23cc"; metadata:service smtp; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28870; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 8D 45 BC 50 68 80 00 00 00 8B 4D C8 51 68 00 04 00 00 8B 55 C8 52 68 C8 23 FF 8F 8B 45 D4 50 FF 15|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28869; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 89 E2 6A 00 52 68 80 00 00 00 50 68 00 04 00 00 50 68 C8 23 FF 8F 57 FF 56 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28868; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt"; flow:to_client,established; file_data; content:"|5C 5C 5C 5C 2E 5C 5C|NDProxy"; fast_pattern:only; content:"DeviceIoControl"; content:"0x8fff23cc"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63971; reference:cve,2013-5065; reference:url,technet.microsoft.com/en-us/security/advisory/2914486; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-002; classtype:attempted-admin; sid:28867; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows embedded OpenType font engine LZX decompression buffer overflow attempt"; flow:to_server,established; file_data; content:"|DE 0D 00 00 82 0C 00 00 02 00 02 00 E5|"; content:"|53 50 13 80 50 59 53 50 5B 7C D0 55 FD 06 58 94 D3 E3 98 7C|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,37671; reference:cve,2010-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-001; classtype:attempted-admin; sid:29014; rev:3;) # alert tcp any [137,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lanman; content:"|FF|SMB|25 00 00 00 00|"; depth:9; offset:4; byte_test:1,&,0x80,0,relative; byte_jump:2,50,relative,multiplier 26,little,post_offset 2; isdataat:32,relative; pcre:"/[^\x00]{50}/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:29513; rev:4;) # alert tcp $EXTERNAL_NET [443] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows secure channel malformed certificate request memory corruption attempt"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 01|"; depth:3; content:"|02|"; within:1; distance:2; byte_jump:3,0,relative; content:"|0B|"; within:1; byte_jump:3,0,relative; content:"|0D|"; within:1; byte_test:1,>,50,3,relative; byte_extract:1,4,preferred_cert,relative; byte_test:1,=,preferred_cert,0,relative; byte_test:1,=,preferred_cert,1,relative; metadata:service ssl; reference:bugtraq,42246; reference:cve,2010-2566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-049; classtype:attempted-dos; sid:29823; rev:3;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt"; flow:to_client,established; content:"|00 00 3A 48 FE|SMB@|00|"; depth:10; isdataat:130,relative; content:"|04 01 82 37 02 02 0A A2 81 F1 04 81 EE 4E 54 4C 4D 53 53 50 00 02 00 00 00 14 00 14|"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-0477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-admin; sid:29943; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_server,established; content:".aspx?"; http_uri; content:"|2F 2C 27|"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:30233; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_server,established; content:".aspx?"; http_uri; content:"|2F 2C 22|"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:30232; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt"; flow:to_server,established; content:"url="; fast_pattern:only; http_uri; pcre:"/[?&]url=[^&]*?javascript\x3a/Ui"; metadata:service http; reference:cve,2014-1823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-032; classtype:web-application-attack; sid:31217; rev:3;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|s|00|f|00|e|00|r|00|r|00|o|00|r|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31416; rev:4;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|i|00|n|00|i|00|e|00|t|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31415; rev:4;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|m|00|e|00|r|00|r|00|o|00|r|00|D|00|A|00|N|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31414; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|asferrorDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31413; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|winietDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31412; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wmerrorDAN.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,42855; reference:cve,2010-3965; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-094; classtype:attempted-user; sid:31411; rev:4;) alert tcp any any -> $HOME_NET 88 (msg:"OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt"; flow:to_server,established; content:"|A1 03 02 01 05 A2 03 02 01 0A|"; depth:10; offset:12; content:"|A7 06 02 04|"; distance:0; content:"|A8|"; within:1; distance:4; content:"|30|"; within:1; distance:1; content:"|02 01 00 02 01 00|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service kerberos; reference:url,attack.mitre.org/techniques/T1097; reference:url,technet.microsoft.com/library/9111e6f0-fb7f-4340-b87a-ab941978efe1.aspx; classtype:attempted-user; sid:31874; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|89 1D 03 00 00 00 C6 05 11 00 00 00 04 C7 05 5B 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32146; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5A 77 41 6C 6C 6F 63 61 74 65 56 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00|"; fast_pattern:only; content:"|B8 FB FF FF FF|"; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32145; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|48 A3 0B 00 00 00 01 00 00 00 B0 04 A2 25 00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32144; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|89 1D 03 00 00 00 C6 05 11 00 00 00 04 C7 05 5B 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32143; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5A 77 41 6C 6C 6F 63 61 74 65 56 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00|"; fast_pattern:only; content:"|B8 FB FF FF FF|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32142; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|48 A3 0B 00 00 00 01 00 00 00 B0 04 A2 25 00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-058; classtype:attempted-admin; sid:32141; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 09 CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-058; classtype:attempted-user; sid:32191; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|00 01 00 00 00 09 CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-058; classtype:attempted-user; sid:32190; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt"; flow:to_server,established; file_data; content:"|24 14 20 00 00 00 C7 44 24 10 00 00 00 00 C7 44 24 0C 20 00 00 00 8B 45 F0 89 44 24 08 C7 44 24 04 28 00 12 00 8B 45 F4 89 04 24 A1 1C 61 40 00 FF D0|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-070; classtype:attempted-admin; sid:32490; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt"; flow:to_client,established; file_data; content:"|24 14 20 00 00 00 C7 44 24 10 00 00 00 00 C7 44 24 0C 20 00 00 00 8B 45 F0 89 44 24 08 C7 44 24 04 28 00 12 00 8B 45 F4 89 04 24 A1 1C 61 40 00 FF D0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-070; classtype:attempted-admin; sid:32489; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt"; flow:to_server,established; file_data; content:"Installer|00|FakeAsm|00|IRemoteClass|00|GetExistingRemoteClass"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-072; classtype:attempted-user; sid:32475; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt"; flow:to_client,established; file_data; content:"Installer|00|FakeAsm|00|IRemoteClass|00|GetExistingRemoteClass"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-072; classtype:attempted-user; sid:32474; rev:1;) alert udp $EXTERNAL_NET 4433 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|03|"; within:1; distance:10; byte_extract:3,8,fragment_len,relative; content:"|FE FF|"; within:2; byte_test:1,>,fragment_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32423; rev:2;) alert udp $EXTERNAL_NET 4433 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|03|"; within:1; distance:10; content:"|FE FF|"; within:2; distance:11; byte_test:1,>,32,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32422; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 03|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32421; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 02|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32420; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 01|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32419; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 22|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x31,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32417; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 22|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,>,0x31,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32416; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x21,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32415; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,>,0x21,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32414; rev:5;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 18|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 60|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32413; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 17|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 40|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32412; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 16|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 40|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32411; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 23|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:2; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,>,0x42,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32410; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01 06 05 2B 81 04 00 23|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:2; byte_test:1,>,0x42,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32409; rev:3;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 13|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 30|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32408; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 12|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 30|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32407; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 11|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32406; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 10|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32405; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 0F|"; byte_jump:1,0,relative,post_offset 1; content:"|03|"; within:1; content:"|30|"; within:1; distance:2; content:"|02 28|"; within:2; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:misc-attack; sid:32404; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows search protocol remote command injection attempt"; flow:to_client,established; content:"src="; nocase; content:"search-ms:"; within:12; nocase; pcre:"/src=(?P[\x22\x27])\s*?search-ms\x3a[^#]*?#[^(P=q1)]*?\x2f(root|select)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-075; classtype:attempted-user; sid:32615; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 38 04 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32732; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 38 04 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32731; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Multiple product mailto uri handling code execution attempt"; flow:to_server,established; file_data; content:"mailto|3A|"; nocase; content:"|2E|cmd"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ecmd((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25053; reference:bugtraq,25945; reference:cve,2007-3845; reference:cve,2007-3896; reference:cve,2007-4041; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32871; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_server,established; file_data; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32870; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt"; flow:to_server,established; file_data; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*[\x22\x27][a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:32869; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows identity token authorization bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"NtApphelpCacheControl"; fast_pattern:only; content:"RtlInitUnicodeString"; content:"|00|S|00|y|00|s|00|t|00|e|00|m|00|"; metadata:service smtp; reference:cve,2015-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-001; classtype:attempted-admin; sid:32966; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows identity token authorization bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"NtApphelpCacheControl"; fast_pattern:only; content:"RtlInitUnicodeString"; content:"|00|S|00|y|00|s|00|t|00|e|00|m|00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-001; classtype:attempted-admin; sid:32965; rev:4;) # alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 07|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:33017; rev:1;) # alert udp any any -> any 67 (msg:"OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|35 01 04|"; within:3; content:"|3D|"; distance:0; byte_test:1,>,252,0,relative; isdataat:252,relative; metadata:service dhcp; reference:bugtraq,11920; reference:cve,2004-0900; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-042; classtype:attempted-user; sid:33016; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00 5C 00|?|00 5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|W|00|e|00|b|00|d|00|a|00|v|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|o|00|r|00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-008; classtype:attempted-user; sid:33049; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00 5C 00|?|00 5C 00|G|00|L|00|O|00|B|00|A|00|L|00|R|00|O|00|O|00|T|00 5C 00|D|00|e|00|v|00|i|00|c|00|e|00 5C 00|W|00|e|00|b|00|d|00|a|00|v|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|o|00|r|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-008; classtype:attempted-user; sid:33048; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS CryptProtectMemory Impersonation Check Bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 00 01 2E 40 00 23 4A 40 00 AB 63 40 00 F5 C1 40 00 83 74 40 00 00 00 00 00 00 00 00 00 66 F0 40 00 5A 11 41 00 1E 64 40|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0010; classtype:attempted-admin; sid:33156; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS CryptProtectMemory Impersonation Check Bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 00 01 2E 40 00 23 4A 40 00 AB 63 40 00 F5 C1 40 00 83 74 40 00 00 00 00 00 00 00 00 00 66 F0 40 00 5A 11 41 00 1E 64 40|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0010; classtype:attempted-admin; sid:33155; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 1F 00 11 3A FF FF 0F 00 46 00 6F 00 72 00 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:attempted-user; sid:33198; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_server,established; file_data; content:"|68 18 01 00 00 68 18 01 00 00 6A 00 8D 45 DC 50 FF 15 CC 43 43 00 3B F4 E8 91 10 FF FF 85 C0 75 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33364; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt"; flow:to_client,established; file_data; content:"|68 18 01 00 00 68 18 01 00 00 6A 00 8D 45 DC 50 FF 15 CC 43 43 00 3B F4 E8 91 10 FF FF 85 C0 75 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33363; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows win32k.sys use-after-free attempt"; flow:to_client,established; file_data; content:"|2C 02 01 00 1C 02 01 00 0E 02 01 00 FE 01 01 00 EC 01 01 00 D8 01 01 00 C6 01 01 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0057; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-admin; sid:33355; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt"; flow:to_server,established; file_data; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 78 9B 00 00 48 89 84 24 B0 00 00 00|"; fast_pattern; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 3B 9B 00 00 48 89 84 24 B8 00 00 00|"; within:64; metadata:service smtp; reference:cve,2015-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-user; sid:33344; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt"; flow:to_client,established; file_data; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 78 9B 00 00 48 89 84 24 B0 00 00 00|"; fast_pattern; content:"|41 B9 04 00 00 00 41 B8 01 00 00 00 BA 01 00 00 00 33 C9 FF 15 3B 9B 00 00 48 89 84 24 B8 00 00 00|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-010; classtype:attempted-user; sid:33343; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt"; flow:to_server,established; file_data; content:" $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt"; flow:to_server,established; file_data; content:"NtSetValueKey|00 00 00|T|00|e|00|s|00|t|00|V|00|a|00|l|00|u|00|e"; fast_pattern:only; content:"MSDN S4U Logon Sample"; metadata:service smtp; reference:cve,2015-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-025; classtype:attempted-user; sid:33774; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt"; flow:to_client,established; file_data; content:"NtSetValueKey|00 00 00|T|00|e|00|s|00|t|00|V|00|a|00|l|00|u|00|e"; fast_pattern:only; content:"MSDN S4U Logon Sample"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-025; classtype:attempted-user; sid:33773; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt"; flow:to_server,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 83 9E 0A 38 D1 D1 66 4C 8B CD 6D 16 36 05 E5 A6 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; classtype:attempted-recon; sid:33770; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt"; flow:to_client,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 83 9E 0A 38 D1 D1 66 4C 8B CD 6D 16 36 05 E5 A6 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; classtype:attempted-recon; sid:33769; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt"; flow:to_server,established; file_data; content:"|34 40 00 30 10 40 00 E0 10 40 00 F0 10 40 00 60 10 40 00 C0 10 40 00 80 10 40 00 60 35 40 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-023; classtype:attempted-user; sid:33768; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt"; flow:to_client,established; file_data; content:"|34 40 00 30 10 40 00 E0 10 40 00 F0 10 40 00 60 10 40 00 C0 10 40 00 80 10 40 00 60 35 40 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-023; classtype:attempted-user; sid:33767; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"NtUserGetClipboardAccessToken_SecurityBypass"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0078; reference:cve,2015-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:33766; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"NtUserGetClipboardAccessToken_SecurityBypass"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0078; reference:cve,2015-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-097; classtype:attempted-admin; sid:33765; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt"; flow:to_server,established; file_data; content:"|A4 3C 53 73 F8 D6 F6 32 A5 85 CB 7E CE 7E A5 BB DA C2 47 37 A2 09 42 5C 64 25 EA 86 D6 D8 80 01 15 02 00 00 0A 30 30 30|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33729; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt"; flow:to_client,established; file_data; content:"|A4 3C 53 73 F8 D6 F6 32 A5 85 CB 7E CE 7E A5 BB DA C2 47 37 A2 09 42 5C 64 25 EA 86 D6 D8 80 01 15 02 00 00 0A 30 30 30|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33728; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt"; flow:to_client,established; file_data; content:"|34 53 FF FF 39 B0 80 00 00 00 74 31 81 3F 4D 4F 43 E0 74 29 81 3F 52 43 43 E0 74 21 FF 75 24 FF 75 20 53 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-028; classtype:attempted-admin; sid:33717; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.psfont; content:"|F9 D4 59 5C 86 22 CB C8 45 EE 2A 82 A0 97 9A CF 20 2B 32 1C E4 46 58 47 DB 81 68 53 D7 F8 10 2E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:33714; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.psfont; file_data; content:"|F9 D4 59 5C 86 22 CB C8 45 EE 2A 82 A0 97 9A CF 20 2B 32 1C E4 46 58 47 DB 81 68 53 D7 F8 10 2E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-admin; sid:33713; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Type one font out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|88 79 F2 E3 79 B5 B8 DD BC 08 51 17 FC 29 1A 6C 1C CE EB 34 8D 37 68 89 9B 3F 87 83 83 9E 80 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33712; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Type one font out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|88 79 F2 E3 79 B5 B8 DD BC 08 51 17 FC 29 1A 6C 1C CE EB 34 8D 37 68 89 9B 3F 87 83 83 9E 80 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33711; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_server,established; file_data; content:"getElementById"; nocase; content:"setTimeout"; fast_pattern; nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33829; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementById("; nocase; content:".src ="; distance:0; nocase; content:"+ Math.random()"; distance:0; nocase; content:"setTimeout"; fast_pattern; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33828; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById("; nocase; content:".src ="; distance:0; nocase; content:"+ Math.random()"; distance:0; nocase; content:"setTimeout"; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:33827; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:34058; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|06 07 2A 86 48 CE 3D 02 01|"; fast_pattern:only; content:"|16 03|"; content:"|0F|"; within:1; distance:3; content:"|30|"; within:1; distance:5; content:"|02|"; within:1; distance:1; byte_jump:1,0,relative; content:"|02|"; within:1; byte_test:1,<,0x14,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:34057; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-WINDOWS Microsoft Windows NtCreateTransactionManager type confusion attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|5C 00 30 00 5C 00 44 00 6F 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 30 00 38 00 58|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-admin; sid:34096; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtCreateTransactionManager type confusion attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|5C 00 30 00 5C 00 44 00 6F 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 30 00 38 00 58|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1643; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-admin; sid:34095; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Defender misconfiguration MpCmdRun.exe system execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"MpCmdRun.exe -ListAllDynamicSignatures"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-037; classtype:attempted-admin; sid:34092; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Defender misconfiguration MpCmdRun.exe system execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MpCmdRun.exe -ListAllDynamicSignatures"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-037; classtype:attempted-admin; sid:34091; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt"; flow:to_server,established; file_data; content:"gSharedInfo|00|u|00|s|00|e|00|r|00|3|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; content:"|36 00 00 00 C7 05|"; content:"|2C 00 00 00 C7 05|"; within:6; distance:4; content:"|40 00 00 00 C7 05|"; within:6; distance:4; content:"|F8 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; sid:34179; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt"; flow:to_client,established; file_data; content:"gSharedInfo|00|u|00|s|00|e|00|r|00|3|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; content:"|36 00 00 00 C7 05|"; content:"|2C 00 00 00 C7 05|"; within:6; distance:4; content:"|40 00 00 00 C7 05|"; within:6; distance:4; content:"|F8 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:34178; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 B5 A8 67 C4 93 E3 C7 40 A9 C1 C9 77 FF 00 B5 B0 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1676; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34443; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|00 40 40 00 C0 35 40 00 03 00 00 00 52 53 44 53 B5 A8 67 C4 93 E3 C7 40 A9 C1 C9 77 FF 00 B5 B0 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1676; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34442; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt"; flow:to_server,established; file_data; content:"|CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; content:"|B0 27 B0 15 B0 38 43 60 42 B0 01 68|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1671; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-044; classtype:attempted-user; sid:34441; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt"; flow:to_client,established; file_data; content:"|CF F4 00 03 7F FF 00 00 00 00 00 00 00 0A 00 00 00 00 00 64 00 00 00 00 00 02|"; fast_pattern:only; content:"|B0 27 B0 15 B0 38 43 60 42 B0 01 68|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1671; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-044; classtype:attempted-user; sid:34440; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt"; flow:to_client,established; file_data; content:" $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt"; flow:to_server,established; file_data; content:"|3F 5F 7F 11 D5 0A 3A 05 20 01 01 12 11 05 20 01 12 19 0E 05 20 01 12 1D 08 05 20 01 01 12 21 03 20 00 02 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1672; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-dos; sid:34435; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt"; flow:to_client,established; file_data; content:"|3F 5F 7F 11 D5 0A 3A 05 20 01 01 12 11 05 20 01 12 19 0E 05 20 01 12 1D 08 05 20 01 01 12 21 03 20 00 02 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1672; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-dos; sid:34434; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_server,established; file_data; content:"|BA 40 00 39 00 48 8B 4C 24 60 FF 15 05 BE 00 00 48 8B 54 24 70 48 8D 0D B1 C0 00 00 E8 40 00 00 00 48 8B 4C 24 60|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:34427; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt"; flow:to_client,established; file_data; content:"|BA 40 00 39 00 48 8B 4C 24 60 FF 15 05 BE 00 00 48 8B 54 24 70 48 8D 0D B1 C0 00 00 E8 40 00 00 00 48 8B 4C 24 60|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74488; reference:cve,2015-1674; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-052; classtype:attempted-recon; sid:34426; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|68 AC 32 40 00 8D 44 24 50 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 58 83 C4 10 E8 2F|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34414; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|68 AC 32 40 00 8D 44 24 50 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 58 83 C4 10 E8 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-051; classtype:attempted-admin; sid:34413; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt"; flow:to_server,established; file_data; content:"|08 1A 02 E9 9E 48 80 43 BD D9 09 28 B3 91 21 AB 00 08 B7 7A 5C 56 19 34 E0 89 03 06 12 0D 04 20 01 01 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1673; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-user; sid:34402; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt"; flow:to_client,established; file_data; content:"|08 1A 02 E9 9E 48 80 43 BD D9 09 28 B3 91 21 AB 00 08 B7 7A 5C 56 19 34 E0 89 03 06 12 0D 04 20 01 01 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1673; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-048; classtype:attempted-user; sid:34401; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt"; flow:to_server,established; file_data; content:"|50 68 AC 32 40 00 8D 44 24 48 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 50 83 C4 10 E8|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1678; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34378; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt"; flow:to_client,established; file_data; content:"|50 68 AC 32 40 00 8D 44 24 48 6A 1F 50 E8 A1 07 00 00 8B 0D 50 30 40 00 8D 54 24 50 83 C4 10 E8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1678; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-051; classtype:attempted-recon; sid:34377; rev:2;) alert tcp $HOME_NET any -> any [137,139] (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt"; flow:to_server,established; content:"LANMAN"; flowbits:set,file.lanman; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:29514; rev:6;) alert tcp $HOME_NET any -> any [137,139] (msg:"OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt"; flow:to_server,established; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|L|00|A|00|N|00|M|00|A|00|N"; flowbits:set,file.lanman; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:28425; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB malformed process ID high field denial of service attempt"; flow:to_server,established; content:"|02|SMB 2"; fast_pattern:only; content:"|FF|SMBr"; depth:5; offset:4; content:!"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-2532; reference:cve,2009-3103; reference:url,technet.microsoft.com/en-us/security/advisory/975497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-050; classtype:attempted-dos; sid:26643; rev:6;) # alert tcp any [137,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lanman; content:"|FF|SMB|25 00 00 00 00|"; depth:9; offset:4; byte_test:1,&,0x80,0,relative; byte_jump:2,51,relative,multiplier 26,little,post_offset 2; isdataat:32,relative; pcre:"/[^\x00]{50}/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-1852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:24336; rev:12;) # alert tcp any [138,139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_client,established; flowbits:isset,netsenum; content:"|EA 00|"; depth:3; offset:59; isdataat:22; content:!"|00|"; within:16; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:24007; rev:15;) alert tcp $HOME_NET any -> any [138,139,445] (msg:"OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt"; flow:to_server,established; content:"|68 00|WrLehD"; pcre:"/^[oz]/Ri"; content:"|01 00|"; within:2; distance:9; flowbits:set,netsenum; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,54940; reference:cve,2012-1853; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-dos; sid:23839; rev:18;) # alert tcp $EXTERNAL_NET [138,139] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt"; flow:to_client,established; content:"|00|"; depth:1; content:"|FF|SMB%|00 00 00 00|"; within:9; distance:3; content:"|00 00|"; within:2; distance:47; byte_test:2,<,100,2,relative,little; content:"%"; within:1000; distance:2; pcre:"/^(\d+\x24)?(\d+)?[nxcsd]/iR"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1851; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; classtype:attempted-admin; sid:23838; rev:11;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt"; flow:to_client,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; isdataat:200; byte_test:1,&,0x80,0,relative; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:13; content:"|00|"; within:1; distance:28 ; pcre:"/([\x21-\x7F]\x00){1,50}[\x3C\x3E\x3A\x22\x7C\x3F\x2A]/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2012-0175; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-048; classtype:attempted-user; sid:23314; rev:13;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt"; flow:to_client,established; content:"|00 00 FF FF FE|SMB@|00|"; depth:10; isdataat:130,relative; content:"|01 00|"; within:2; distance:6; content:"|A0 00 00 00|"; within:4; distance:6; content:"H|00 04 01|"; within:4; distance:44; content:"AAAAAAAA"; within:8; distance:56; metadata:policy max-detect-ips drop, policy security-ips alert, service netbios-ssn; reference:cve,2010-0477; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-020; classtype:attempted-admin; sid:23237; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt"; flow:to_server,established,no_stream; content:"|02 F0 80 7F 65|"; content:"|03 00|"; within:2; distance:-9; detection_filter:track by_src,count 10,seconds 3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; classtype:attempted-admin; sid:21570; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RDP RST denial of service attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:policy max-detect-ips drop; reference:cve,2012-0152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-001; classtype:attempted-dos; sid:21568; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 56 CD 6E D3 40 10 9E 34 14 A8 69 24 E0 C0 A1 27 2B 27 07 B5 56 D2 AA 07 22 15 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21508; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|10 00 11 10 BA 05 00 00 00 1A 00 00 78 9C ED 19 CB 6E 1C 45 B0 76 4D 88 ED 24 24 E1 4D 08 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21507; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 56 5B 6F 1B 45 14 1E BB 84 92 B4 A5 17 A0 2D E5 B6 DD 42 B9 54 DE F5 DA A8 17 CB|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21506; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|62 69 6E EC 55 CD 6E D3 40 10 9E A4 14 A8 69 24 E0 C0 A1 27 2B 27 07 B5 56 12 94 03 91 8A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21505; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt"; flow:to_client,established; file_data; content:"|10 00 11 10 B6 08 00 00 00 32 00 00 78 01 EC 5A 5D 6C 1C 57 15 3E B3 B6 13 27 4D 5D 3B 49 43 D2 40 3B 91 D3 90 D2 66 BB EB 9F FC 15 C2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:21504; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_client,established; file_data; content:"style="; nocase; content:"|5C 2C 22|"; within:50; fast_pattern; content:"expression"; within:50; nocase; pcre:"/style\s*=\s*\x27?[^\x27]*?\x5C\x2C\x22[^\x27]+expression\s*\x28/"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:21405; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt"; flow:to_client,established; file_data; content:"style="; nocase; content:"|5C 2C 27|"; within:50; fast_pattern; content:"expression"; within:50; nocase; pcre:"/style\s*=\s*\x22?[^\x22]*?\x5C\x2C\x27[^\x22]+expression\s*\x28/"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-007; classtype:attempted-user; sid:20884; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS generic web server hashing collision attack"; flow:established,to_server; content:"Content-Type|3A|"; nocase; http_header; content:"multipart/form-data"; within:40; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:attempted-dos; sid:20824; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"|00 01 00 00 0E B7 AD 87 5F 0F 3C F5 00 03 03 E8 00 00 00 00 C9 D2 5F 76 00 00 00 00 C9 D2 5F 76 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-user; sid:20073; rev:14;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt"; flow:to_client,established; content:"|FF|SMB2"; depth:5; offset:4; fast_pattern; byte_test:3,>,40,1,big; isdataat:36,relative; byte_extract:2,28,total,relative,little; content:"|00 00|"; within:2; distance:2; byte_test:2,>,total,0,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:attempted-admin; sid:19972; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML core services cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"XMLHttpRequest"; pcre:"/setRequestHeader.*chunked/smiR"; content:"send"; distance:0; content:"0|5C|r|5C|n|5C|r|5C|n"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-recon; sid:19818; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|GroovePerfmon.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3146; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:19315; rev:13;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt"; flow:to_server,established; content:"G|00|r|00|o|00|o|00|v|00|e|00|P|00|e|00|r|00|f|00|m|00|o|00|n|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3146; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:19314; rev:12;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|01 00|"; within:2; distance:55; content:"|01 00|"; within:2; distance:2; pcre:"/^.{2}\x5c\x00[^\x5c]*\x00\x00/R"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:cve,2011-1869; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19221; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|F7 CE 07 0E A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46106; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:19196; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt"; flow:to_client,established; content:"|FF|SMB|2E 00 00 00 00|"; depth:9; offset:4; content:"|6C 74|"; within:6; distance:50; content:"|D7 CD C6 9A 00 00|"; within:6; distance:6; byte_test:4,<,60,-10,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-038; classtype:attempted-user; sid:19184; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Vista feed headlines cross-site scripting attack attempt"; flow:to_client,established; file_data; content:"[^>]*?(<|<).*?expression\x28.*?<\/title>/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25287; reference:cve,2007-3033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-048; classtype:web-application-attack; sid:19174; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client, established; file_data; content:"BellGothicStd-Bla|00 01 02 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3957; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-091; classtype:attempted-user; sid:19119; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response"; flow:to_client,established; content:"HTTP 99|0A|"; depth:8; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-051; classtype:attempted-dos; sid:18961; rev:15;) # alert udp $HOME_NET any -> 224.0.0.0/4 5355 (msg:"OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt"; content:"|00 01 00 00 00 00|"; depth:6; offset:4; content:"|01 2E|"; within:2; distance:2; byte_test:2,!&,0xF8,2; metadata:policy max-detect-ips drop; reference:cve,2011-0657; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-030; classtype:attempted-admin; sid:18655; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 1F 00 11 3A FF FF 0F 00 46 00 6F 00 72 00 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:attempted-user; sid:18590; rev:12;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt"; flow:to_server,established; content:"m|00|s|00|o|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3146; reference:cve,2011-0108; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:18500; rev:19;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|mso.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3146; reference:cve,2011-0108; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-016; classtype:attempted-user; sid:18499; rev:17;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"e|00|h|00|t|00|r|00|a|00|c|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0032; reference:cve,2011-2009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-076; classtype:attempted-user; sid:18497; rev:17;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ehtrace.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0032; reference:cve,2011-2009; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-076; classtype:attempted-user; sid:18496; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft product .dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:cve,2014-1756; reference:cve,2015-1758; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-023; classtype:attempted-user; sid:18495; rev:21;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft product .dll dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|01 00 00 00 40 00 00 00|"; content:"|0D 00 00 5C 00|.|00|d|00|l|00|l|00 00 00|"; within:15; distance:5; nocase; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-0029; reference:cve,2011-0107; reference:cve,2011-1980; reference:cve,2014-1756; reference:cve,2015-1758; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-023; classtype:attempted-user; sid:18494; rev:25;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows MHTML XSS attempt"; flow:to_client,established; file_data; content:"mhtml|3A|"; pcre:"/(location\x2ereplace\x28|window\x2elocation\x2ehref\s*?=|iframe\s*?src\s*?=|a\s*?href\s*?=)\s*?[\x22\x27]mhtml\x3a(http|file)\x3a\x2f\x2f/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-026; classtype:attempted-user; sid:18335; rev:21;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Vector Markup Language fill method overflow attempt"; flow:to_client,established; file_data; content:"|3A 00|f|00|i|00|l|00|l|00|"; nocase; content:"m|00|e|00|t|00|h|00|o|00|d|00|"; distance:0; nocase; pcre:"/<\x00(\w\x00)+\x3a\x00f\x00i\x00l\x00l\x00\s\x00([^>]\x00|>[^\x00])*m\x00e\x00t\x00h\x00o\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x27\x00([^\x27]\x00|\x27[^\x00]){100}|\x22\x00([^\x22]\x00|\x22[^\x00]){100}|([^\s>]\x00|[\s>][^\x00]){100})/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20096; reference:cve,2006-4868; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-055; classtype:attempted-user; sid:18309; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt"; flow:to_client,established; file_data; content:" $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"f|00|v|00|e|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-001; classtype:attempted-user; sid:18278; rev:18;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|fveapi.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3145; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-001; classtype:attempted-user; sid:18277; rev:17;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|s|00|o|00|e|00|r|00|e|00|s|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; within:1500; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:18207; rev:16;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|a|00|b|00|3|00|2|00|r|00|e|00|s|00|.|00|d|00|l|00|l|00 00 00|"; within:1500; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-085; classtype:attempted-user; sid:18206; rev:17;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|msoeres32.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:18205; rev:16;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wab32res.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3147; reference:cve,2011-2016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-085; classtype:attempted-user; sid:18204; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt"; flow:to_server, established; content:"signurl|2E|asp"; fast_pattern; nocase; http_uri; content:"SignUrl="; nocase; http_uri; pcre:"/SignUrl=[^\x26\s]*[\x22\x27\x28\x29\x3C\x3E]/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18076; rev:11;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2.findfirst2; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:3,>,135,-12,relative,big; byte_test:1,&,128,0,relative; flowbits:unset,smb.trans2.findfirst2; content:"|00 00|"; within:2; distance:13; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:13; content:"|00|"; within:1; distance:2; content:"|FF FF FF FF|"; within:4; distance:72; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:attempted-admin; sid:17746; rev:17;) # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-WINDOWS Microsoft Windows wpad dynamic update request "; flow:to_server; content:"|06|isatap"; byte_test:1, &, 8, 2; byte_test:1, &, 32, 2; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; classtype:attempted-admin; sid:17731; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; nocase; content:"setTimeout"; fast_pattern; nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-user; sid:17730; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft IIS malicious ASP file upload attempt"; flow:to_server,established; content:"