# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #----------------------- # BROWSER-PLUGINS RULES #----------------------- # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image uploader ActiveX function call access attempt"; flow:established,to_client; file_data; content:"Aurigma.ImageUploader"; fast_pattern:only; metadata:service http; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:26975; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image uploader ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; fast_pattern:only; metadata:service http; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:26974; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; fast_pattern:only; pcre:"/META-INF.*?[^a-zA-Z][a-zA-Z]{7}\.class/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58504; reference:cve,2013-1488; classtype:attempted-user; sid:26901; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; fast_pattern:only; pcre:"/META-INF.*?[a-zA-Z]{7}\.class/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58504; reference:cve,2013-1488; classtype:attempted-user; sid:26900; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; fast_pattern:only; content:"Fakedriver"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58504; reference:cve,2013-1488; classtype:attempted-user; sid:26899; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"META-INF/services/java.sql.Driver"; fast_pattern:only; content:"Fakedriver"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58504; reference:cve,2013-1488; classtype:attempted-user; sid:26898; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start control launchapp embed access"; flow:to_client,established; file_data; content:"application/java-deployment-toolkit"; fast_pattern:only; pcre:"/\x3C[^\x3E]*embed[^\x3E]*type\s*\x3D\s*[\x22\x27]\s*application\/java-deployment-toolkit\s*[\x22\x27][^\x3E]*\x3E/"; content:"launchApp|28|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2416; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26767; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access"; flow:established,to_client; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(launchApp)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(launchApp))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2416; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26766; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX function call access"; flow:established,to_client; file_data; content:"application/java-deployment-toolkit"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22application\/java-deployment-toolkit(\.\d*)?\x22|\x27application\/java-deployment-toolkit(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*launchApp\s*|.*(?P=v)\s*\.\s*launchApp\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22application\/java-deployment-toolkit(\.\d*)?\x22|\x27application\/java-deployment-toolkit(\.\d*)?\x27)\s*\)(\s*\.\s*launchApp\s*|.*(?P=n)\s*\.\s*launchApp\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2416; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26765; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access"; flow:established,to_client; file_data; content:"CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(launchApp)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(launchApp))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2416; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26764; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; metadata:service smtp; reference:bugtraq,34931; reference:bugtraq,39346; reference:cve,2009-1671; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:26682; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp_embedded"; content:"value"; within:10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp"; nocase; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value"; within:10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp"; nocase; content:" $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,58134; reference:cve,2013-0108; classtype:attempted-user; sid:26574; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SafeNet ActiveX clsid access"; flow:established,to_client; file_data; content:"ActiveXObject"; content:"PrivAgentAx.PrivAgent"; distance:24; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23071; reference:cve,2007-0348; reference:url,www.securityfocus.com/bid/56297; classtype:attempted-user; sid:26546; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SafeNet ActiveX clsid access"; flow:established,to_client; file_data; content:"09F68A41-2FBE-11D3-8C9D-0008C7D901B6"; fast_pattern:only; content:"ChooseFilePath"; content:"classid"; distance:0; pcre:"/(\w+)\.ChooseFilePath.*?]*?id\s*=\s*[\x22\x27]\1[^>]*?classid\s*\=\s*[\x22\x27][^\x22\x27]*?09F68A41-2FBE-11D3-8C9D-0008C7D901B6/sm"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23071; reference:cve,2007-0348; reference:url,www.securityfocus.com/bid/56297; classtype:attempted-user; sid:26545; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SafeNet ActiveX clsid access"; flow:established,to_client; file_data; content:"09F68A41-2FBE-11D3-8C9D-0008C7D901B6"; fast_pattern:only; content:"classid"; content:"ChooseFilePath"; distance:0; pcre:"/]*?id\s*=\s*[\x22\x27](\w+)[^>]*?classid\s*\=\s*[\x22\x27][^\x22\x27]*?09F68A41-2FBE-11D3-8C9D-0008C7D901B6.*?\1\.ChooseFilePath/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23071; reference:cve,2007-0348; reference:url,www.securityfocus.com/bid/56297; classtype:attempted-user; sid:26544; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SafeNet ActiveX clsid access"; flow:established,to_client; file_data; content:"09F68A41-2FBE-11D3-8C9D-0008C7D901B6"; fast_pattern:only; content:"classid"; content:"ChooseFilePath"; distance:0; pcre:"/]*?classid\s*\=\s*[\x22\x27][^\x22\x27]*?09F68A41-2FBE-11D3-8C9D-0008C7D901B6[^>]*?id\s*=\s*[\x22\x27](\w+).*?\1\.ChooseFilePath/sm"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23071; reference:cve,2007-0348; reference:url,www.securityfocus.com/bid/56297; classtype:attempted-user; sid:26543; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_server,established; file_data; content:"jnlp"; nocase; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp"; nocase; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:service http; reference:cve,2013-0674; classtype:attempted-user; sid:26498; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:service http; reference:cve,2013-0674; classtype:attempted-user; sid:26497; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Messenger ActiveX function call access"; flow:established,to_client; file_data; content:"Messenger.MessengerApp"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Messenger\.MessengerApp(\.\d*)?\x22|\x27Messenger\.MessengerApp(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchIMUI\s*|.*(?P=v)\s*\.\s*LaunchIMUI\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Messenger\.MessengerApp(\.\d*)?\x22|\x27Messenger\.MessengerApp(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchIMUI\s*|.*(?P=n)\s*\.\s*LaunchIMUI\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:26393; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Viscom Software Image Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; fast_pattern:only; content:".TIFMergeMultiFiles"; nocase; metadata:service http; reference:cve,2010-5193; reference:url,secunia.com/advisories/42445/; reference:url,www.exploit-db.com/exploits/18123/; classtype:attempted-user; sid:26378; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|"; nocase; content:"--renderer-path|3D|"; nocase; content:"%20--no-sandbox%20"; fast_pattern:only; metadata:service http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ActivePDF WebGrabber APWebGrb.ocx ActiveX function call access attempt"; flow:established,to_client; file_data; content:"APWebGrabber.Object"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22APWebGrabber\.Object(\.\d*)?\x22|\x27APWebGrabber\.Object(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetStatus\s*|.*(?P=v)\s*\.\s*GetStatus\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22APWebGrabber\.Object(\.\d*)?\x22|\x27APWebGrabber\.Object(\.\d*)?\x27)\s*\)(\s*\.\s*GetStatus\s*|.*(?P=n)\s*\.\s*GetStatus\s*)/smiO"; metadata:service http; classtype:attempted-user; sid:26241; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_server; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,58134; reference:cve,2013-0108; classtype:attempted-user; sid:26194; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"MVT.MVTControl"; fast_pattern:only; content:"GetObject"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,53304; reference:cve,2012-4598; classtype:attempted-user; sid:26187; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TRENDNet SecurView internet camera UltraMJCam ActiveX function call access attempt"; flow:established,to_client; file_data; content:"OpenFileDlg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OpenFileDlg(\.\d)?\x22|\x27OpenFileDlg(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OpenFileDlg(\.\d)?\x22|\x27OpenFileDlg(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; reference:bugtraq,52760; reference:cve,2012-4876; classtype:attempted-user; sid:26184; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TRENDNet SecurView internet camera UltraMJCam ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy security-ips drop, service http; reference:bugtraq,52760; reference:cve,2012-4876; classtype:attempted-user; sid:26183; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt"; flow:established,to_client; file_data; content:"BackupToAvi"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22BackupToAvi(\.\d*)?\x22|\x27BackupToAvi(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BackupToAvi(\.\d*)?\x22|\x27BackupToAvi(\.\d*)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53193; reference:cve,2012-4333; classtype:attempted-user; sid:26182; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53193; reference:cve,2012-4333; classtype:attempted-user; sid:26181; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt"; flow:to_client,established; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; pcre:"/(RestoreViewStateFromFile|SaveViewStateToFile|Export3DBom)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50321; reference:bugtraq,50333; classtype:attempted-user; sid:25566; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt"; flow:to_client,established; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; pcre:"/(RestoreViewStateFromFile|SaveViewStateToFile|Export3DBom)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50321; reference:bugtraq,50333; classtype:attempted-user; sid:25565; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9E065E4A-BD9D-4547-8F90-985DC62A5591"; fast_pattern:only; content:".SetSource("; pcre:"/\.SetSource\(([^\,]*?[\x22\x27]https?\x3a\x2f{2}([^\x2f]{40}|\s+\x2f)|([^\)]*?,){4}\s*?(?P[\x22\x27])(\s+(?P=q1)|[^\x22\x27]{40}))/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0284; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:attempted-user; sid:25254; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ClearQuest session ActiveX control access"; flow:established,to_client; file_data; content:"94773112-72E8-11D0-A42E-00A024DED613"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0708; classtype:attempted-user; sid:25004; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ipswcom.IPSWComItf"; fast_pattern:only; pcre:"/(MsgBox|Alert)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4924; classtype:attempted-user; sid:24777; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; fast_pattern:only; pcre:"/(MsgBox|Alert)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4924; classtype:attempted-user; sid:24775; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access"; flow:established,to_client; file_data; content:"dwa85.dwa85"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53879; reference:cve,2012-2175; reference:url,www.ibm.com/support/docview.wss?uid=swg21596862; classtype:attempted-user; sid:24772; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access"; flow:established,to_server; file_data; content:"75aa409d-05f9-4f27-bd53-c7339d4b1d0a"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-2175; reference:url,www.ibm.com/support/docview.wss?uid=swg21596862; classtype:attempted-user; sid:24771; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt"; flow:established,to_server; file_data; content:"BBFlashBack.FBRecorder"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1388; reference:cve,2011-1391; classtype:attempted-user; sid:24726; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"a3cd4bf9-ec17-47a4-833c-50a324d6ff35"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1388; reference:cve,2011-1391; classtype:attempted-user; sid:24725; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt"; flow:established,to_client; file_data; content:"BBFlashBack.FBRecorder"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1388; reference:cve,2011-1391; classtype:attempted-user; sid:24724; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A2282403-50DE-4A2E-A118-B90AEDB1ADCC"; fast_pattern:only; metadata:service smtp; reference:cve,2011-2217; classtype:attempted-user; sid:24692; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"575B655F-FED4-4EE1-8F62-0A69D404F46B"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2217; classtype:attempted-user; sid:24691; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2217; classtype:attempted-user; sid:24690; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt"; flow:to_server,established; file_data; content:"TomSawyer.DefaultExtFactory"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2217; classtype:attempted-user; sid:24689; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2217; classtype:attempted-user; sid:24644; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt"; flow:to_client,established; file_data; content:"TomSawyer.DefaultExtFactory"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2217; classtype:attempted-user; sid:24643; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Viscom Movie Player Pro DrawText ActiveX function call access"; flow:established,to_client; file_data; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MOVIEPLAYER\.MoviePlayerCtrl\.1(\.\d)?\x22|\x27MOVIEPLAYER\.MoviePlayerCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DrawText\s*|.*(?P=v)\s*\.\s*DrawText\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MOVIEPLAYER\.MoviePlayerCtrl\.1(\.\d)?\x22|\x27MOVIEPLAYER\.MoviePlayerCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*DrawText\s*|.*(?P=n)\s*\.\s*DrawText\s*)/smiO"; metadata:service http; reference:bugtraq,40719; reference:cve,2010-0356; classtype:attempted-user; sid:24579; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Viscom Movie Player Pro DrawText ActiveX clsid access"; flow:established,to_client; file_data; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(DrawText)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(DrawText))/siO"; metadata:service http; reference:bugtraq,40719; reference:cve,2010-0356; classtype:attempted-user; sid:24578; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; fast_pattern:only; metadata:service http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; fast_pattern:only; metadata:service http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; fast_pattern:only; metadata:service http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; fast_pattern:only; metadata:service http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS EMC ApplicationXtender Desktop ActiveX function call attempt"; flow:to_server,established; file_data; content:"WxSuperCtrl650"; fast_pattern:only; content:"../../.."; pcre:"/(?P\w+)\s*=\s*(\x22WxSuperCtrl650(\.\d)?\x22|\x27WxSuperCtrl650(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*|.*(?P=v)\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WxSuperCtrl650(\.\d)?\x22|\x27WxSuperCtrl650(\.\d)?\x27)\s*\)(\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*|.*(?P=n)\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*)/smiO"; metadata:service smtp; reference:cve,2012-2289; classtype:attempted-user; sid:24323; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EMC ApplicationXtender Desktop ActiveX function call attempt"; flow:to_client,established; file_data; content:"WxSuperCtrl650"; fast_pattern:only; content:"../../.."; pcre:"/(?P\w+)\s*=\s*(\x22WxSuperCtrl650(\.\d)?\x22|\x27WxSuperCtrl650(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*|.*(?P=v)\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WxSuperCtrl650(\.\d)?\x22|\x27WxSuperCtrl650(\.\d)?\x27)\s*\)(\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*|.*(?P=n)\s*\.\s*(DisplayImageFile|AnnoLoad|AnnoSave)\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-2289; classtype:attempted-user; sid:24322; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco Secure Desktop CSDWebInstaller ActiveX function call access"; flow:to_client,established; file_data; content:"CSDWEBINSTALLER.CSDWebInstallerCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CSDWEBINSTALLER\.CSDWebInstallerCtrl(\.\d)?\x22|\x27CSDWEBINSTALLER\.CSDWebInstallerCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=(\s*new)?\s*(ActiveXObject|CreateObject)\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P\w+)\s*=(\s*new)?\s*(ActiveXObject|CreateObject)\s*\(\s*(\x22CSDWEBINSTALLER\.CSDWebInstallerCtrl(\.\d)?\x22|\x27CSDWEBINSTALLER\.CSDWebInstallerCtrl(\.\d)?\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url\s*)/smiO"; metadata:service http; reference:bugtraq,46536; reference:cve,2011-0926; classtype:attempted-user; sid:24282; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AdminStudio and InstallShield ActiveX function call access attempt"; flow:to_server,established; file_data; content:"ISHercules.Grid.1"; fast_pattern:only; pcre:"/(?P\w+)\s*?=\s*?(new\s*?ActiveXObject|CreateObject)\s*?\(\s*?(?P\x22|\x27|)ISHercules\.Grid\.1\s*?(?P=q1)\s*?\).*?for\s*?\([^\;]*\;\s*?\w+\s*?<=?\s*?(\d{5}+)\s*?\;[^\)]*\)\s*?{?\s*?(?P\w+)\s*?=\s*?(?P=var1)\s*?\+[^\;]*.*?(?P=id1)\s*?\.\s*?DoFindReplace\([^,]*((?P=var1)\s*?|,[^,]*(?P=var1)\s*?)/smi"; metadata:service smtp; reference:url,kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID=125341070&stateId=00%20125337386; classtype:attempted-user; sid:24249; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AdminStudio and InstallShield ActiveX function call access attempt"; flow:to_client,established; file_data; content:"ISHercules.Grid.1"; fast_pattern:only; pcre:"/(?P\w+)\s*?=\s*?(new\s*?ActiveXObject|CreateObject)\s*?\(\s*?(?P\x22|\x27|)ISHercules\.Grid\.1\s*?(?P=q1)\s*?\).*?for\s*?\([^\;]*\;\s*?\w+\s*?<=?\s*?(\d{5}+)\s*?\;[^\)]*\)\s*?{?\s*?(?P\w+)\s*?=\s*?(?P=var1)\s*?\+[^\;]*.*?(?P=id1)\s*?\.\s*?DoFindReplace\([^,]*((?P=var1)\s*?|,[^,]*(?P=var1)\s*?)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID=125341070&stateId=00%20125337386; classtype:attempted-user; sid:24248; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AdminStudio and InstallShield ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"1FDAAB76-810C-11D5-AB7C-00C04F09719A"; fast_pattern:only; pcre:"/for\s*\([^\;]*\;\s*\w+\s*<=?\s*(\d{5}+)\s*\;[^\)]*\)\s*{?\s*(?P\w+)\s*=\s*(?P=var1)\s*\+[^\;]*.*?(?P.+?)\s*\.\s*DoFindReplace\([^,]*((?P=var1)\s*|,[^,]*(?P=var1)\s*),.*?(]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id1)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1FDAAB76-810C-11D5-AB7C-00C04F09719A\s*}?\s*(?P=q1)(\s|>|\x2F)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1FDAAB76-810C-11D5-AB7C-00C04F09719A\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id1)(?P=m2))/smiO"; metadata:service smtp; reference:url,kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID=125341070&stateId=00%20125337386; classtype:attempted-user; sid:24247; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AdminStudio and InstallShield ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"1FDAAB76-810C-11D5-AB7C-00C04F09719A"; fast_pattern:only; pcre:"/for\s*\([^\;]*\;\s*\w+\s*<=?\s*(\d{5}+)\s*\;[^\)]*\)\s*{?\s*(?P\w+)\s*=\s*(?P=var1)\s*\+[^\;]*.*?(?P.+?)\s*\.\s*DoFindReplace\([^,]*((?P=var1)\s*|,[^,]*(?P=var1)\s*),.*?(]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id1)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1FDAAB76-810C-11D5-AB7C-00C04F09719A\s*}?\s*(?P=q1)(\s|>|\x2F)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1FDAAB76-810C-11D5-AB7C-00C04F09719A\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id1)(?P=m2))/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID=125341070&stateId=00%20125337386; classtype:attempted-user; sid:24246; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt"; flow:to_client,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?KeyHelp\.KeyScript/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54215; reference:cve,2012-2515; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:24197; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 8 ieframe.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"07C45BB1-4A8C-4642-A1F5-237E7215FF66"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*07C45BB1-4A8C-4642-A1F5-237E7215FF66\s*}?\s*(?P=q1)(\s|>|\x2F)/si"; metadata:service http; reference:url,seclists.org/fulldisclosure/2012/Aug/243; classtype:attempted-user; sid:24113; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS StoneTrip S3DPlayer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"7508D2BB-F085-45BF-8261-167C6DF4D477"; fast_pattern:only; metadata:service http; reference:bugtraq,35105; reference:cve,2009-1792; classtype:attempted-user; sid:23470; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ECABFDAA-C5D1-4CED-AA9A-F120A6F6E632"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23432; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"115EEB56-1D9A-40CC-BE02-0A2AF6E4FFE0"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23431; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F390AB7C-7C17-40C0-BA21-A1170FE4A21B"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23430; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C188EFAC-A680-4D9A-9D86-9A1535EABE60"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23429; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C41E04F2-8DFE-4069-A737-599E0A143C98"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23428; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A49CF05B-F04E-40FA-B24C-19A1727AC9E9"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23427; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A691BD51-B974-4EAD-9040-5A157AD23C34"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23426; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FD36EF64-EE2A-4599-AEB2-F296D806B2BF"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23425; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A8BC7AB7-C8E5-449D-BED4-C7487E87FFB6"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23424; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2910F5C6-3F4E-48AA-B449-6E015FF871E3"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23423; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"27B04BDE-684A-415B-9F6E-187EDD0BD419"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23422; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6D660DD8-2AAA-4BEA-AF8D-476E24DAA7A4"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23421; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"D67CEF70-F4E4-4025-AD8B-BD16C2058E30"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23420; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FB4A8BD3-FF5F-4B1D-8F8B-FEC4F8BA4375"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23419; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"08C77EA7-11A3-11D5-AAFD-00E0294358F5"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23418; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3C7FBBEA-76CC-4664-8D2B-C05B7FBD5E92"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23417; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"23087906-5A02-4198-958F-F4A46A166BF9"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23416; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9355C927-06DB-4D68-97AB-FB3C5F4EB1BA"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23415; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F3240D05-607B-4719-B607-396BFC903F1B"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23413; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FA7EBEAA-84AA-48AB-9FF4-A121CAF23471"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23412; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6C1424D6-69E1-4F9C-AEA6-A4CEE356171E"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23411; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"21D09BAD-6B76-4149-A88B-22988300534C"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23410; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"890B2708-86C5-410E-974C-BB677EE7F006"; fast_pattern:only; metadata:service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23409; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt"; flow:to_client,established; file_data; content:"AnnotationX.AnnList"; fast_pattern:only; content:"Add"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52765; reference:cve,2012-5896; classtype:attempted-user; sid:23396; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23376; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:23375; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23374; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:23373; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23372; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX function call access attempt"; flow:to_client,established; file_data; content:"PLAYERPT.PlayerPTCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PLAYERPT\.PlayerPTCtrl(\.\d)?\x22|\x27PLAYERPT\.PlayerPTCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40}))\s*|.*(?P=v)\s*\.\s*(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40}))\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PLAYERPT\.PlayerPTCtrl(\.\d)?\x22|\x27PLAYERPT\.PlayerPTCtrl(\.\d)?\x27)\s*\)(\s*\.\s*(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40}))\s*|.*(?P=n)\s*\.\s*(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40}))\s*)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0284; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:attempted-user; sid:23353; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"tnemucoDMOD.2lmxsM"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"53CF415E-1A80-11D3-8E63-00A0C99CE543"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1709; classtype:attempted-user; sid:23283; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Webcenter ActiveX clsid access"; flow:to_client,established; file_data; content:"8c3d4aa7-2599-11d2-baf1-00104b9e0792"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8c3d4aa7-2599-11d2-baf1-00104b9e0792\s*}?\s*(?P=q1)(\s|>|\x2F)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1710; classtype:attempted-user; sid:23228; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt"; flow:to_client,established; file_data; content:"QuickPlace.QuickPlace"; fast_pattern:only; pcre:"/(Impor|Attachmen)t_Times/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53678; reference:cve,2012-2176; classtype:attempted-user; sid:23174; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MVT.MVTControl"; fast_pattern:only; content:"GetObject"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53304; reference:cve,2012-4598; classtype:attempted-user; sid:23050; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; fast_pattern:only; content:"GetObject"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,53304; reference:cve,2012-4598; classtype:attempted-user; sid:23049; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; fast_pattern:only; content:"GetObject"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53304; reference:cve,2012-4598; classtype:attempted-user; sid:23048; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security ActiveX function call"; flow:to_client,established; file_data; content:"WrapUM.LaunchURL"; fast_pattern:only; metadata:service http; reference:cve,2004-0364; reference:url,www.securityfocus.com/bid/9915/; classtype:attempted-user; sid:22050; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security ActiveX clsid access"; flow:to_client,established; file_data; content:"26676CDD-DD35-4AF2-8751-CC25DC468EF2"; fast_pattern:only; metadata:service http; reference:cve,2004-0364; reference:url,www.securityfocus.com/bid/9915/; classtype:attempted-user; sid:22049; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMIScriptUtils.WMIObjectBroker2.1 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WMIScriptUtils.WMIObjectBroker2.1"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:22003; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MSWebDVD ActiveX function call attempt"; flow:to_client,established; file_data; content:"MSWebDVD.MSWebDVD.1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10056; classtype:attempted-user; sid:21951; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MSWebDVD ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"38EE5CEE-4B62-11D3-854F-00A0C9C898E7"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10056; classtype:attempted-user; sid:21950; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICONICS WebHMI ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.SetActiveXGUID/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2089; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; classtype:attempted-user; sid:21883; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICONICS WebHMI ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; fast_pattern:only; pcre:"/object\s*[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*SetActiveXGUID/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2089; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; classtype:attempted-user; sid:21882; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM eGatherer ActiveX function call access"; flow:to_client,established; file_data; content:"IbmEgath.IbmEgathCtl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IbmEgath\.IbmEgathCtl\.1(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl\.1(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RunEgatherer\s*|.*(?P=v)\s*\.\s*RunEgatherer\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IbmEgath\.IbmEgathCtl\.1(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl\.1(\.\d)?\x27)\s*\)(\s*\.\s*RunEgatherer\s*|.*(?P=n)\s*\.\s*RunEgatherer\s*)/smiO"; metadata:service http; reference:bugtraq,19554; reference:cve,2006-4221; classtype:attempted-user; sid:21590; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM eGatherer ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(RunEgatherer)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(RunEgatherer))/siO"; metadata:service http; reference:bugtraq,19554; reference:cve,2006-4221; classtype:attempted-user; sid:21589; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Antivirus ActiveX function call access"; flow:to_client,established; file_data; content:"Symantec.Norton.AntiVirus.AppLauncher"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x22|\x27Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchURL\s*|.*(?P=v)\s*\.\s*LaunchURL\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x22|\x27Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x27)\s*\)(\s*\.\s*LaunchURL\s*|.*(?P=n)\s*\.\s*LaunchURL\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-2127; classtype:attempted-user; sid:21561; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Antivirus ActiveX clsid access"; flow:to_client,established; file_data; content:"51CD5322-C0EC-4513-BCEF-1C9B2EC88719"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*51CD5322-C0EC-4513-BCEF-1C9B2EC88719\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchURL)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*51CD5322-C0EC-4513-BCEF-1C9B2EC88719\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchURL))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-2127; classtype:attempted-user; sid:21560; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Antivirus ActiveX clsid access"; flow:to_client,established; file_data; content:"Symantec.Norton.AntiVirus.AppLauncher"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*new\s*ActiveXObject\x28(\x22Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x22|\x27Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x27)\x29.*\s*(?P=varname)\.LaunchURL/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10392; reference:cve,2005-2127; reference:url,securityresponse.symantec.com/avcenter/security/Content/2004.05.20.html; classtype:attempted-user; sid:21559; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Antivirus ActiveX clsid access"; flow:to_client,established; file_data; content:"Symantec.Norton.AntiVirus.AppLauncher"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*CreateObject\x28(\x22Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x22|\x27Symantec\.Norton\.AntiVirus\.AppLauncher(\.\d)?\x27)\x29.*\s*(?P=varname)\.LaunchURL/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10392; reference:cve,2005-2127; reference:url,securityresponse.symantec.com/avcenter/security/Content/2004.05.20.html; classtype:attempted-user; sid:21558; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows DRM technology msnetobj.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"A9FC132B-096D-460B-B7D5-1DB0FAE0C062"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A9FC132B-096D-460B-B7D5-1DB0FAE0C062\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(GetLicenseFromURLAsync)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A9FC132B-096D-460B-B7D5-1DB0FAE0C062\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(GetLicenseFromURLAsync))/siO"; metadata:service http; reference:bugtraq,43345; reference:url,www.exploit-db.com/exploits/15061; classtype:attempted-user; sid:21493; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Security Center ActiveX clsid access"; flow:to_client,established; file_data; content:"A5AD2366-4C5A-4750-BD4E-23E7333C9565"; fast_pattern:only; metadata:service http; reference:bugtraq,15986; reference:cve,2005-3657; classtype:attempted-user; sid:21406; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX function call"; flow:to_client,established; file_data; content:"SymSpamBlockingUI.SymSpamHelper.1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-user; sid:21264; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Remediation Agent ActiveX function call access"; flow:to_client,established; file_data; content:"Enginecom.imagineLANEngine"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Enginecom\.imagineLANEngine(\.\d)?\x22|\x27Enginecom\.imagineLANEngine(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DeleteSnapshot\s*|.*(?P=v)\s*\.\s*DeleteSnapshot\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Enginecom\.imagineLANEngine(\.\d)?\x22|\x27Enginecom\.imagineLANEngine(\.\d)?\x27)\s*\)(\s*\.\s*DeleteSnapshot\s*|.*(?P=n)\s*\.\s*DeleteSnapshot\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,metasploit.com/modules/exploit/windows/fileformat/mcafee_hercules_deletesnapshot; classtype:attempted-user; sid:21094; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX function call access"; flow:to_client,established; file_data; content:"TList.TList.8"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TList\.TList\.8(\.\d)?\x22|\x27TList\.TList\.8(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=v)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TList\.TList\.8(\.\d)?\x22|\x27TList\.TList\.8(\.\d)?\x27)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=n)\s*\.\s*SaveData\s*)/smiO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21034; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX clsid access"; flow:to_client,established; file_data; content:"95D85D77-B200-40A4-BF6A-999E9B1D3B26"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*95D85D77-B200-40A4-BF6A-999E9B1D3B26\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*95D85D77-B200-40A4-BF6A-999E9B1D3B26\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.SaveData\s*\x28[^\x29]*\x2e\x2e)/siO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21033; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX function call access"; flow:to_client,established; file_data; content:"TList.TList.7"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TList\.TList\.7(\.\d)?\x22|\x27TList\.TList\.7(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=v)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TList\.TList\.7(\.\d)?\x22|\x27TList\.TList\.7(\.\d)?\x27)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=n)\s*\.\s*SaveData\s*)/smiO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21032; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX clsid access"; flow:to_client,established; file_data; content:"A3FC1700-924C-11D5-8FE5-0004ACD846EA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A3FC1700-924C-11D5-8FE5-0004ACD846EA\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A3FC1700-924C-11D5-8FE5-0004ACD846EA\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.SaveData\s*\x28[^\x29]*\x2e\x2e)/siO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21031; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX function call access"; flow:to_client,established; file_data; content:"TList.TList.6"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TList\.TList\.6(\.\d)?\x22|\x27TList\.TList\.6(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=v)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TList\.TList\.6(\.\d)?\x22|\x27TList\.TList\.6(\.\d)?\x27)\s*\)(\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e\s*|.*(?P=n)\s*\.\s*SaveData\s*)/smiO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21030; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX clsid access"; flow:to_client,established; file_data; content:"65996200-3B87-11D4-A21F-00E029189826"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*65996200-3B87-11D4-A21F-00E029189826\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*SaveData\s*\x28[^\x29]*\x2e\x2e|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*65996200-3B87-11D4-A21F-00E029189826\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.SaveData\s*\x28[^\x29]*\x2e\x2e)/siO"; metadata:service http; reference:cve,2011-3397; reference:url,retrogod.altervista.org/9sg_ohfm_adv.html; classtype:attempted-user; sid:21029; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt"; flow:established,to_server; file_data; content:"MyCioScan.Scan"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MyCioScan\.Scan(\.\d*)?\x22|\x27MyCioScan\.Scan(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MyCioScan\.Scan(\.\d*)?\x22|\x27MyCioScan\.Scan(\.\d*)?\x27)\s*\)/smiO"; metadata:service smtp; reference:bugtraq,51397; reference:url,www.zerodayinitiative.com/advisories/ZDI-12-012/; classtype:attempted-user; sid:21027; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*209EBDEE-065C-11D4-A6B8-00C04F0D38B7\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service smtp; reference:bugtraq,51397; reference:url,www.zerodayinitiative.com/advisories/ZDI-12-012/; classtype:attempted-user; sid:21026; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt"; flow:to_client,established; file_data; content:"MyCioScan.Scan"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MyCioScan\.Scan(\.\d*)?\x22|\x27MyCioScan\.Scan(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MyCioScan\.Scan(\.\d*)?\x22|\x27MyCioScan\.Scan(\.\d*)?\x27)\s*\)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,51397; reference:url,www.zerodayinitiative.com/advisories/ZDI-12-012/; classtype:attempted-user; sid:21025; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*209EBDEE-065C-11D4-A6B8-00C04F0D38B7\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,51397; reference:url,www.zerodayinitiative.com/advisories/ZDI-12-012/; classtype:attempted-user; sid:21024; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Viscom Software Image Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"SCRIBBLE.ScribbleCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SCRIBBLE\.ScribbleCtrl(\.\d)?\x22|\x27SCRIBBLE\.ScribbleCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TIFMergeMultiFiles\s*|.*(?P=v)\s*\.\s*TIFMergeMultiFiles\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SCRIBBLE\.ScribbleCtrl(\.\d)?\x22|\x27SCRIBBLE\.ScribbleCtrl(\.\d)?\x27)\s*\)(\s*\.\s*TIFMergeMultiFiles\s*|.*(?P=n)\s*\.\s*TIFMergeMultiFiles\s*)/smiO"; metadata:service http; reference:cve,2010-5193; reference:url,secunia.com/advisories/42445/; reference:url,www.exploit-db.com/exploits/18123/; reference:url,xforce.iss.net/xforce/xfdb/63666; classtype:attempted-user; sid:21023; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Viscom Software Image Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(TIFMergeMultiFiles)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(TIFMergeMultiFiles))/siO"; metadata:service http; reference:cve,2010-5193; reference:url,secunia.com/advisories/42445/; reference:url,www.exploit-db.com/exploits/18123/; reference:url,xforce.iss.net/xforce/xfdb/63666; classtype:attempted-user; sid:21022; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk iDrop ActiveX clsid access"; flow:to_client,established; file_data; content:"32290CD1-D585-4803-AF20-F16E20FF377A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*32290CD1-D585-4803-AF20-F16E20FF377A\s*}?\s*(?P=q1)(\s|>)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*32290CD1-D585-4803-AF20-F16E20FF377A\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>))/siO"; pcre:"/\.(src|background|packagexml)/si"; metadata:service http; reference:url,securitytracker.com/id?1021969; classtype:attempted-user; sid:20949; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; fast_pattern:only; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX clsid access"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11CF-96B8-444553540000"; fast_pattern:only; content:"document.location.reload"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q1)(\s|>)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>))/siO"; metadata:service http; reference:cve,2010-2185; reference:url,www.adobe.com/support/security/bulletins/apsb10-14.html; classtype:attempted-user; sid:20875; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TTF161.TTF1.6"; fast_pattern:only; content:"SetDevNames"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-5167; classtype:attempted-user; sid:20847; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B0475003-7740-11D1-BDC3-0020AF9F8E6E"; fast_pattern:only; content:"SetDevNames"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-5167; classtype:attempted-user; sid:20846; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo! CD Player ActiveX clsid access"; flow:to_client,established; file_data; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20716; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"FC7F9CC6-E049-4698-8A25-59AD87C7DCE2"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20715; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"dd7b057d-9020-4630-baf8-7a0cda04588d"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20714; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"8290cb76-9f61-458b-ad2c-3f6fd2e8cd7d"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20713; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"7a7b986c-31e9-4286-88ca-b9dc481ca989"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20712; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"b34b19f4-7ebe-46cb-807c-746e72ebb4b6"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20711; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"EE5E14B0-4ABF-409E-9C39-74F3D35BD85A"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20710; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Dell IT Assistant ActiveX clsid access"; flow:to_client,established; file_data; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20707; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Time DATIME.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"476c391c-3e0d-11d2-b948-00c04fa32195"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20706; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Time DATIME.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"33FDA1EA-80DF-11d2-B263-00A0C90D6111"; fast_pattern:only; metadata:service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20705; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVueX Control ExportEdaBom ActiveX function call access"; flow:to_client,established; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AUTOVUEX\.AutoVueXCtrl\.1(\.\d)?\x22|\x27AUTOVUEX\.AutoVueXCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ExportEdaBom\s*|.*(?P=v)\s*\.\s*ExportEdaBom\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AUTOVUEX\.AutoVueXCtrl\.1(\.\d)?\x22|\x27AUTOVUEX\.AutoVueXCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*ExportEdaBom\s*\((?P\x22|\x27|).*?[^?P=q4](\x2e\x2e|%2e%2e)|.*(?P=n)\s*\.\s*ExportEdaBom\s*\((?P\x22|\x27|).*?[^?P=q5](\x2e\x2e|%2e%2e))/smiO"; metadata:service http; reference:url,retrogod.altervista.org/9sg_autovue.html; classtype:attempted-user; sid:20574; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVueX Control ExportEdaBom ActiveX clsid access"; flow:to_client,established; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6FCC215-D303-11D1-BC6C-0000C078797F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*ExportEdaBom\((?P\x22|\x27|).*?[^?P=q3](\x2e\x2e|%2e%2e)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6FCC215-D303-11D1-BC6C-0000C078797F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.ExportEdaBom\((?P\x22|\x27|).*?[^?P=q4](\x2e\x2e|%2e%2e))/siO"; metadata:service http; reference:url,retrogod.altervista.org/9sg_autovue.html; classtype:attempted-user; sid:20573; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phobos.Playlist ActiveX function call access"; flow:to_client,established; file_data; content:"Phobos.Playlist"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Phobos\.Playlist(\.\d)?\x22|\x27Phobos\.Playlist(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Import\s*|.*(?P=v)\s*\.\s*Import\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Phobos\.Playlist(\.\d)?\x22|\x27Phobos\.Playlist(\.\d)?\x27)\s*\)(\s*\.\s*Import\s*|.*(?P=n)\s*\.\s*Import\s*)/smiO"; metadata:service http; classtype:attempted-user; sid:20538; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phobos.Playlist ActiveX clsid access"; flow:to_client,established; file_data; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A105BD70-BF56-4D10-BC91-41C88321F47C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Import)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A105BD70-BF56-4D10-BC91-41C88321F47C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Import))/siO"; metadata:service http; classtype:attempted-user; sid:20537; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Moxa MediaDBPlayback.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"5B32067A-121B-49DE-8182-91EB13DDF8D6"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5B32067A-121B-49DE-8182-91EB13DDF8D6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(PlayFileName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5B32067A-121B-49DE-8182-91EB13DDF8D6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(PlayFileName))/siO"; metadata:service http; classtype:attempted-user; sid:20536; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access"; flow:to_client,established; file_data; content:"BIDIB.BIDIBCtrl"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?BIDIB\.BIDIBCtrl/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29577; reference:bugtraq,29579; reference:cve,2008-2683; reference:cve,2008-2684; classtype:attempted-user; sid:20286; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access"; flow:to_client,established; file_data; content:"79956462-F148-497F-B247-DF35A095F80B"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?79956462-F148-497F-B247-DF35A095F80B/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29577; reference:bugtraq,29579; reference:cve,2008-2683; reference:cve,2008-2684; classtype:attempted-user; sid:20285; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ChemView SaveAsMolFile vulnerability ActiveX clsid access"; flow:to_client,established; file_data; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; fast_pattern:only; metadata:service http; reference:bugtraq,38225; reference:cve,2010-0679; classtype:attempted-user; sid:20168; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Studio WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access"; flow:to_client,established; file_data; content:"XMLHttpRequest|28 29|"; content:"document|2E|location"; content:"|27 2F|p|27|"; distance:0; content:"|27|ay|27|"; distance:0; content:"|27|lo|27|"; distance:0; pcre:"/document\x2elocation\s*\x2b\s*\x27\x2fp\x27\s*\x2b\s*\x27ay\x27\s*\x2b\s*\x27lo\x27/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:20071; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS F-Secure Anti-Virus fsresh.dll clsid access"; flow:to_client,established; file_data; content:"147B3695-4308-41D9-B1A4-770B87BAD342"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*147B3695-4308-41D9-B1A4-770B87BAD342\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:url,www.f-secure.com/en_EMEA-Labs/news-info/security-advisories/fsc-2011-3.html; classtype:attempted-user; sid:20044; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|36723F97-7AA0-11D4-8919-FF2D71D0D32C"; fast_pattern:only; content:"call-back-url"; pcre:"/name\s*=\s*(?P\x22|\x27|)call-back-url(?P=q1)/smi"; pcre:"/value\s*=\s*[\x27\x22][^\x27\x22]{257}/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1527; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.securityfocus.com/bid/42576; classtype:attempted-user; sid:19925; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco AnyConnect ActiveX function call access"; flow:to_client,established; file_data; content:"Cisco.AnyConnect.VPNWeb"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Cisco\.AnyConnect\.VPNWeb(\.\d)?\x22|\x27Cisco\.AnyConnect\.VPNWeb(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Cisco\.AnyConnect\.VPNWeb(\.\d)?\x22|\x27Cisco\.AnyConnect\.VPNWeb(\.\d)?\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smiO"; metadata:service http; reference:cve,2011-2039; reference:url,www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml; classtype:attempted-user; sid:19651; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX function call access"; flow:to_client,established; file_data; content:"ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ShockwaveFlash\.ShockwaveFlash(\.\d)?\x22|\x27ShockwaveFlash\.ShockwaveFlash(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*CreateObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LoadMovie\s*|.*(?P=v)\s*\.\s*LoadMovie\s*)|(?P\w+)\s*=\s*CreateObject\s*\(\s*(\x22ShockwaveFlash\.ShockwaveFlash(\.\d)?\x22|\x27ShockwaveFlash\.ShockwaveFlash(\.\d)?\x27)\s*\)(\s*\.\s*LoadMovie\s*|.*(?P=n)\s*\.\s*LoadMovie\s*)/siO"; metadata:service http; reference:url,www.securitytracker.com/id/1009674; classtype:attempted-user; sid:19610; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX function call access"; flow:to_client,established; file_data; content:"StubbyUtil.ShellCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22StubbyUtil\.ShellCtl(\.\d)?\x22|\x27StubbyUtil\.ShellCtl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*|.*(?P=v)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22StubbyUtil\.ShellCtl(\.\d)?\x22|\x27StubbyUtil\.ShellCtl(\.\d)?\x27)\s*\)(\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*|.*(?P=n)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*)/smiO"; metadata:service http; classtype:attempted-user; sid:19565; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|\x2f?>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|\x2f?>).*(?P=id2)\.(CreateVistaTaskLow|Exec|ExecLow|ShellExec))/siO"; metadata:service http; classtype:attempted-user; sid:19564; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX function call access"; flow:to_client,established; file_data; content:"StubbyUtil.ProcessMgr"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22StubbyUtil\.ProcessMgr(\.\d)?\x22|\x27StubbyUtil\.ProcessMgr(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*|.*(?P=v)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22StubbyUtil\.ProcessMgr(\.\d)?\x22|\x27StubbyUtil\.ProcessMgr(\.\d)?\x27)\s*\)(\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*|.*(?P=n)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)\s*)/smiO"; metadata:service http; classtype:attempted-user; sid:19563; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"5818813e-d53d-47a5-abbb-37e2a07056b5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5818813e-d53d-47a5-abbb-37e2a07056b5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateVistaTaskLow|Exec|ExecLow|ShellExec)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5818813e-d53d-47a5-abbb-37e2a07056b5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(CreateVistaTaskLow|Exec|ExecLow|ShellExec))/siO"; metadata:service http; classtype:attempted-user; sid:19562; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer ieframe.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"0355854A-7F23-47E2-B7C3-97EE8DD42CD8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0355854A-7F23-47E2-B7C3-97EE8DD42CD8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RunApplication)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0355854A-7F23-47E2-B7C3-97EE8DD42CD8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(RunApplication))/siO"; metadata:service http; reference:bugtraq,47565; classtype:attempted-user; sid:19561; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingView ActiveX clsid access"; flow:to_client,established; file_data; content:"F31C42E3-CBF9-4E5C-BB95-521B4E85060D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F31C42E3-CBF9-4E5C-BB95-521B4E85060D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ValidateUser)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F31C42E3-CBF9-4E5C-BB95-521B4E85060D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ValidateUser))/siO"; metadata:service http; reference:bugtraq,46757; reference:cve,2011-3142; reference:url,www.us-cert.gov/control_systems/pdf/ICSA-11-074-01.pdf; classtype:attempted-user; sid:18904; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CrystalReports EnterpriseControls ActiveX clsid access"; flow:to_client,established; file_data; content:"3D58C9F3-7CA5-4C44-9D62-C5B63E059050"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3D58C9F3-7CA5-4C44-9D62-C5B63E059050\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SelectedSession)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3D58C9F3-7CA5-4C44-9D62-C5B63E059050\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SelectedSession))/siO"; metadata:service http; reference:bugtraq,27333; reference:cve,2008-0379; classtype:attempted-user; sid:18741; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Whale Client Components ActiveX ProgID access"; flow:to_client,established; file_data; content:"ComponentManager.Installer"; fast_pattern:only; metadata:service http; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18491; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Whale Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; fast_pattern:only; metadata:service http; reference:bugtraq,34532; reference:cve,2007-2238; classtype:attempted-user; sid:18490; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Image Viewer CP Gold 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(TIFMergeMultiFiles|Image2PDF)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(TIFMergeMultiFiles|Image2PDF))/siO"; metadata:service http; reference:bugtraq,45155; classtype:attempted-user; sid:18325; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX function call access"; flow:to_client,established; file_data; content:"Aventail.EPInstaller"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aventail\.EPInstaller(\.\d)?\x22|\x27Aventail\.EPInstaller(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent)\s*|.*(?P=v)\s*\.\s*(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aventail\.EPInstaller(\.\d)?\x22|\x27Aventail\.EPInstaller(\.\d)?\x27)\s*\)(\s*\.\s*(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent)\s*|.*(?P=n)\s*\.\s*(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent)\s*)/smiO"; metadata:service http; reference:bugtraq,44535; reference:cve,2010-2583; classtype:attempted-user; sid:18324; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX clsid access"; flow:to_client,established; file_data; content:"5EDB10D9-7E95-4833-A218-62F375DAFCF1"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EDB10D9-7E95-4833-A218-62F375DAFCF1\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EDB10D9-7E95-4833-A218-62F375DAFCF1\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(InstallComponentMsi|Install3rdPartyComponent|InstallComponentVer|InstallComponent))/siO"; metadata:service http; reference:bugtraq,44535; reference:cve,2010-2583; classtype:attempted-user; sid:18323; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInterrogator ActiveX function call access"; flow:to_client,established; file_data; content:"Aventail.EPInterrogator"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aventail\.EPInterrogator(\.\d)?\x22|\x27Aventail\.EPInterrogator(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AuthCredential|ConfigurationString)\s*|.*(?P=v)\s*\.\s*(AuthCredential|ConfigurationString)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aventail\.EPInterrogator(\.\d)?\x22|\x27Aventail\.EPInterrogator(\.\d)?\x27)\s*\)(\s*\.\s*(AuthCredential|ConfigurationString)\s*|.*(?P=n)\s*\.\s*(AuthCredential|ConfigurationString))\s*=/smiO"; metadata:service http; classtype:attempted-user; sid:18322; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInterrogator ActiveX clsid access"; flow:to_client,established; file_data; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A1BE1E7-C550-4D67-A553-7F2D3A39233D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AuthCredential|ConfigurationString)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A1BE1E7-C550-4D67-A553-7F2D3A39233D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(AuthCredential|ConfigurationString))\s*=/siO"; metadata:service http; classtype:attempted-user; sid:18321; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Skype Extras Manager ActiveX function call access"; flow:to_client,established; file_data; content:"ezPMUtils.WindowGroup"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ezPMUtils\.WindowGroup(\.\d)?\x22|\x27ezPMUtils\.WindowGroup(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RegisterWindow\s*|.*(?P=v)\s*\.\s*RegisterWindow\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ezPMUtils\.WindowGroup(\.\d)?\x22|\x27ezPMUtils\.WindowGroup(\.\d)?\x27)\s*\)(\s*\.\s*RegisterWindow\s*|.*(?P=n)\s*\.\s*RegisterWindow)\s*=/smiO"; metadata:service http; reference:bugtraq,36459; reference:cve,2009-4741; classtype:attempted-user; sid:17676; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Skype Extras Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"42481700-CF3C-4D05-8EC6-F9A1C57E8DC0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42481700-CF3C-4D05-8EC6-F9A1C57E8DC0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RegisterWindow)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42481700-CF3C-4D05-8EC6-F9A1C57E8DC0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(RegisterWindow))\s*=/siO"; metadata:service http; reference:bugtraq,36459; reference:cve,2009-4741; classtype:attempted-user; sid:17674; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BigAnt Office Manager ActiveX function call access"; flow:to_client,established; file_data; content:"AntCore.AntConsole"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AntCore\.AntConsole(\.\d)?\x22|\x27AntCore\.AntConsole(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RegisterCom\s*|.*(?P=v)\s*\.\s*RegisterCom\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AntCore\.AntConsole(\.\d)?\x22|\x27AntCore\.AntConsole(\.\d)?\x27)\s*\)(\s*\.\s*RegisterCom\s*|.*(?P=n)\s*\.\s*RegisterCom\s*)/smiO"; metadata:service http; reference:bugtraq,39721; classtype:attempted-user; sid:17672; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BigAnt Office Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"25745F2B-2AC9-4551-948B-574C50D4EE59"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*25745F2B-2AC9-4551-948B-574C50D4EE59\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RegisterCom)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*25745F2B-2AC9-4551-948B-574C50D4EE59\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(RegisterCom))/siO"; metadata:service http; reference:bugtraq,39721; classtype:attempted-user; sid:17670; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; content:"unescape|28 22 25|u"; nocase; metadata:service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; fast_pattern:only; metadata:service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; fast_pattern:only; metadata:service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; fast_pattern:only; metadata:service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft MyInfo.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"4682C82A-B2FF-11D0-95A8-00A0C92B77A9"; fast_pattern:only; metadata:service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17592; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL Radio AmpX ActiveX clsid access"; flow:to_client,established; file_data; content:"FA3662C3-B8E8-11D6-A667-0010B556D978"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA3662C3-B8E8-11D6-A667-0010B556D978\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetMetadata)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA3662C3-B8E8-11D6-A667-0010B556D978\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetMetadata))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26396; reference:cve,2007-5755; classtype:attempted-user; sid:17464; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AXIS Camera ActiveX initialization via script"; flow:to_client,established; file_data; content:"CamImage.CamImage"; nocase; pcre:"/(\x3d\s*new\s+ActiveXObject\s*\x28\s*(?P\x22|\x27)CamImage\.CamImage\.\d(?P=q1)\s*\x29|\x3d\s*CreateObject\s*\x28\s*(?P\x22|\x27)CamImage\.CamImage\.\d(?P=q2)\s*\x29)/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33408; reference:cve,2008-5260; classtype:attempted-user; sid:17226; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"45874228-a445-40dc-962b-ec15559b1741"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45874228-a445-40dc-962b-ec15559b1741\s*}?\s*(?P=q11)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17177; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"81a81dd2-a261-442a-b9b1-df10a2542020"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*81a81dd2-a261-442a-b9b1-df10a2542020\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17175; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"68cdb19a-6305-4589-8c35-41e3502cd451"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68cdb19a-6305-4589-8c35-41e3502cd451\s*}?\s*(?P=q7)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17173; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"631F0C94-C02F-40AC-A31B-DDC39731FC81"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*631F0C94-C02F-40AC-A31B-DDC39731FC81\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17171; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"26bac093-997c-4084-bad6-c35f5d67ea99"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*26bac093-997c-4084-bad6-c35f5d67ea99\s*}?\s*(?P=q3)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17169; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Siebel Option Pack 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"07070bfd-c501-4899-934d-0b96a9f70795"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*07070bfd-c501-4899-934d-0b96a9f70795\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17167; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call access"; flow:to_client,established; file_data; content:"AOSMTP.Mail"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22AOSMTP\.Mail(\.\d)?\x22|\x27AOSMTP\.Mail(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddAttachments\s*|.*(?P=v)\s*\.\s*AddAttachments\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AOSMTP\.Mail(\.\d)?\x22|\x27AOSMTP\.Mail(\.\d)?\x27)\s*\)(\s*\.\s*AddAttachments\s*|.*(?P=n)\s*\.\s*AddAttachments\s*)/smiO"; metadata:service http; classtype:attempted-user; sid:17101; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F8D07B72-B4B4-46A0-ACC0-C771D4614B82\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddAttachments)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F8D07B72-B4B4-46A0-ACC0-C771D4614B82\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddAttachments))/siO"; metadata:service http; classtype:attempted-user; sid:17099; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; fast_pattern:only; content:"ConvertFile"; metadata:service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL WinAmpX ActiveX clsid access"; flow:to_client,established; file_data; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ConvertFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ConvertFile))/siO"; metadata:service http; reference:bugtraq,35028; classtype:attempted-user; sid:17096; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"PDFVIEW.PdfviewCtrl"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22PDFVIEW\.PdfviewCtrl(\.\d)?\x22|\x27PDFVIEW\.PdfviewCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenPDF\s*|.*(?P=v)\s*\.\s*OpenPDF\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDFVIEW\.PdfviewCtrl(\.\d)?\x22|\x27PDFVIEW\.PdfviewCtrl(\.\d)?\x27)\s*\)(\s*\.\s*OpenPDF\s*|.*(?P=n)\s*\.\s*OpenPDF\s*)/smiO"; metadata:service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17089; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*433268D7-2CD4-43E6-AA24-2188672E7252\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17087; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine ActiveX clsid access"; flow:to_client,established; file_data; content:"0A5FD7C5-A45C-49FC-ADB5-9952547D5715"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A5FD7C5-A45C-49FC-ADB5-9952547D5715\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(cachefolder)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A5FD7C5-A45C-49FC-ADB5-9952547D5715\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(cachefolder))\s*=/siO"; metadata:service http; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17084; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddRouteEntry)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddRouteEntry))/siO"; metadata:service http; reference:bugtraq,26288; reference:cve,2007-5603; classtype:attempted-user; sid:17082; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GOM Player GomWeb ActiveX function call access"; flow:to_client,established; file_data; content:"GomWebCtrl.GomManager"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22GomWebCtrl\.GomManager(\.\d)?\x22|\x27GomWebCtrl\.GomManager(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenURL\s*|.*(?P=v)\s*\.\s*OpenURL\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22GomWebCtrl\.GomManager(\.\d)?\x22|\x27GomWebCtrl\.GomManager(\.\d)?\x27)\s*\)(\s*\.\s*OpenURL\s*|.*(?P=n)\s*\.\s*OpenURL\s*)/smiO"; metadata:service http; reference:bugtraq,26236; reference:cve,2007-5779; classtype:attempted-user; sid:17080; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GOM Player GomWeb ActiveX clsid access"; flow:to_client,established; file_data; content:"DC07C721-79E0-4BD4-A89F-C90871946A31"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC07C721-79E0-4BD4-A89F-C90871946A31\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenURL)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC07C721-79E0-4BD4-A89F-C90871946A31\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenURL))/siO"; metadata:service http; reference:bugtraq,26236; reference:cve,2007-5779; classtype:attempted-user; sid:17078; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ask Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|5A074B2B-F830-49DE-A31B-5BB9D7F6B407|27|"; content:"|3D| new String|28|"; distance:0; content:!"|29|"; within:1000; metadata:service http; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17077; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call access"; flow:to_client,established; file_data; content:"AskJeevesToolBar.SettingsPlugin"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22AskJeevesToolBar\.SettingsPlugin(\.\d)?\x22|\x27AskJeevesToolBar\.SettingsPlugin(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ShortFormat\s*|.*(?P=v)\s*\.\s*ShortFormat\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AskJeevesToolBar\.SettingsPlugin(\.\d)?\x22|\x27AskJeevesToolBar\.SettingsPlugin(\.\d)?\x27)\s*\)(\s*\.\s*ShortFormat\s*|.*(?P=n)\s*\.\s*ShortFormat)\s*=/smiO"; metadata:service http; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17075; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid access"; flow:to_client,established; file_data; content:"5A074B2B-F830-49de-A31B-5BB9D7F6B407"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5A074B2B-F830-49de-A31B-5BB9D7F6B407\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ShortFormat)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5A074B2B-F830-49de-A31B-5BB9D7F6B407\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ShortFormat))\s*=/siO"; metadata:service http; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17073; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Logitech Video Call 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"bf4c7b03-f381-4544-9a33-cb6dad2a87cd"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf4c7b03-f381-4544-9a33-cb6dad2a87cd\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf4c7b03-f381-4544-9a33-cb6dad2a87cd\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:service http; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17071; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Logitech Video Call 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"bef0f488-3562-435f-8e89-79d94c9a528c"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bef0f488-3562-435f-8e89-79d94c9a528c\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bef0f488-3562-435f-8e89-79d94c9a528c\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:service http; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17069; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Logitech Video Call 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"917b29f8-e72a-4761-8371-bf7fca27eb31"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917b29f8-e72a-4761-8371-bf7fca27eb31\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917b29f8-e72a-4761-8371-bf7fca27eb31\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:service http; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17067; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Logitech Video Call 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"6577b09d-c39d-4e22-9913-c99803f9c388"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6577b09d-c39d-4e22-9913-c99803f9c388\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6577b09d-c39d-4e22-9913-c99803f9c388\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:service http; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17065; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Logitech Video Call 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"54da0fb5-483a-4c53-810b-f131d50a8eb6"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54da0fb5-483a-4c53-810b-f131d50a8eb6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54da0fb5-483a-4c53-810b-f131d50a8eb6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:service http; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17063; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Personal Firewall 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"BE39AEFD-5704-4bb5-B1DF-B7992454AB7E"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE39AEFD-5704-4bb5-B1DF-B7992454AB7E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Get|Set)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE39AEFD-5704-4bb5-B1DF-B7992454AB7E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Get|Set))/siO"; metadata:service http; reference:bugtraq,23936; reference:cve,2007-1689; classtype:attempted-user; sid:17061; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; fast_pattern:only; metadata:service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Launcher.LaunchObj"; fast_pattern:only; pcre:"/(installAppMgr|upgradeAsNeeded)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33247; reference:cve,2008-4388; classtype:attempted-user; sid:17054; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Launcher.LaunchObj"; fast_pattern:only; pcre:"/(installAppMgr|upgradeAsNeeded)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33247; reference:cve,2008-4388; classtype:attempted-user; sid:17053; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; fast_pattern:only; pcre:"/(installAppMgr|upgradeAsNeeded)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33247; reference:cve,2008-4388; classtype:attempted-user; sid:17052; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WinDVD IASystemInfo.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B727C217-2022-11D4-B2C6-0050DA1BD906\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ApplicationType)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B727C217-2022-11D4-B2C6-0050DA1BD906\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ApplicationType))\s*=/siO"; metadata:service http; reference:bugtraq,23071; reference:cve,2007-0348; classtype:attempted-user; sid:16802; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP AG SAPgui EAI WebViewer3D ActiveX function call access"; flow:to_client,established; file_data; content:"EAIWeb.WebViewer3D"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22EAIWeb\.WebViewer3D(\.\d)?\x22|\x27EAIWeb\.WebViewer3D(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveViewToSessionFile\s*|.*(?P=v)\s*\.\s*SaveViewToSessionFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EAIWeb\.WebViewer3D(\.\d)?\x22|\x27EAIWeb\.WebViewer3D(\.\d)?\x27)\s*\)(\s*\.\s*SaveViewToSessionFile\s*|.*(?P=n)\s*\.\s*SaveViewToSessionFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,34310; reference:cve,2007-4475; classtype:attempted-user; sid:16793; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP AG SAPgui EAI WebViewer3D ActiveX clsid access"; flow:to_client,established; file_data; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveViewToSessionFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveViewToSessionFile))\s*\(/siO"; metadata:service http; reference:bugtraq,34310; reference:cve,2007-4475; classtype:attempted-user; sid:16791; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; fast_pattern:only; metadata:service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; fast_pattern:only; metadata:service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|"; distance:0; metadata:service http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk iDrop ActiveX function call access"; flow:to_client,established; file_data; content:"idrop.idrop"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22idrop\.idrop(\.\d)?\x22|\x27idrop\.idrop(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22idrop\.idrop(\.\d)?\x22|\x27idrop\.idrop(\.\d)?\x27)\s*\)\s*=/smiO"; pcre:"/\.(src|background|packagexml)/si"; metadata:service http; reference:url,securitytracker.com/id?1021969; classtype:attempted-user; sid:16784; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk iDrop ActiveX clsid access"; flow:to_client,established; file_data; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*21E0CB95-1198-4945-A3D2-4BF804295F78\s*}?\s*(?P=q1)(\s|>)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*21E0CB95-1198-4945-A3D2-4BF804295F78\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>))/siO"; pcre:"/\.(src|background|packagexml)/si"; metadata:service http; reference:url,securitytracker.com/id?1021969; classtype:attempted-user; sid:16783; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EasyMail IMAP4 ActiveX function call access"; flow:to_client,established; file_data; content:"EasyMail.IMAP4"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EasyMail\.IMAP4(\.\d)?\x22|\x27EasyMail\.IMAP4(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LicenseKey\s*|.*(?P=v)\s*\.\s*LicenseKey\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EasyMail\.IMAP4(\.\d)?\x22|\x27EasyMail\.IMAP4(\.\d)?\x27)\s*\)(\s*\.\s*LicenseKey\s*|.*(?P=n)\s*\.\s*LicenseKey\s*)/smiO"; metadata:service http; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16781; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EasyMail IMAP4 ActiveX clsid access"; flow:to_client,established; file_data; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(LicenseKey)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(LicenseKey))/siO"; metadata:service http; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16779; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KeyWorks KeyHelp ActiveX control JumpURL method access attempt"; flow:to_client,established; file_data; content:"classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C'"; fast_pattern:only; content:"id='KEYHELPLib'"; content:"JumpURL"; metadata:policy security-ips drop, service http; reference:bugtraq,36546; reference:cve,2012-2515; classtype:attempted-user; sid:16776; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EMC Captiva QuickScan Pro ActiveX function call access"; flow:to_client,established; file_data; content:"KeyHelp.KeyCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22KeyHelp\.KeyCtrl(\.\d)?\x22|\x27KeyHelp\.KeyCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(JumpURL|JumpMappedID)\s*|.*(?P=v)\s*\.\s*(JumpURL|JumpMappedID)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22KeyHelp\.KeyCtrl(\.\d)?\x22|\x27KeyHelp\.KeyCtrl(\.\d)?\x27)\s*\)(\s*\.\s*(JumpURL|JumpMappedID)\s*|.*(?P=n)\s*\.\s*(JumpURL|JumpMappedID)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; reference:bugtraq,36546; reference:cve,2012-2515; classtype:attempted-user; sid:16774; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AwingSoft Web3D Player ActiveX function call access"; flow:to_client,established; file_data; content:"WindsPlayerIE.View"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22WindsPlayerIE\.View(\.\d)?\x22|\x27WindsPlayerIE\.View(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SceneURL\s*|.*(?P=v)\s*\.\s*SceneURL\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WindsPlayerIE\.View(\.\d)?\x22|\x27WindsPlayerIE\.View(\.\d)?\x27)\s*\)(\s*\.\s*SceneURL\s*|.*(?P=n)\s*\.\s*SceneURL\s*)/smiO"; metadata:service http; reference:cve,2009-4588; reference:cve,2009-4850; classtype:attempted-user; sid:16769; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AwingSoft Web3D Player SceneURL ActiveX clsid access"; flow:to_client,established; file_data; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17A54E7D-A9D4-11D8-9552-00E04CB09903\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SceneURL)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17A54E7D-A9D4-11D8-9552-00E04CB09903\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SceneURL))/siO"; metadata:service http; reference:cve,2009-4588; reference:cve,2009-4850; classtype:attempted-user; sid:16767; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Access Support ActiveX function call access"; flow:to_client,established; file_data; content:"IbmEgath.IbmEgathCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IbmEgath\.IbmEgathCtl(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetXMLValue\s*|.*(?P=v)\s*\.\s*GetXMLValue\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IbmEgath\.IbmEgathCtl(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl(\.\d)?\x27)\s*\)(\s*\.\s*GetXMLValue\s*|.*(?P=n)\s*\.\s*GetXMLValue\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16748; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DjVu ActiveX control access attempt"; flow:to_client,established; file_data; content:"clsid|3A|4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; fast_pattern:only; metadata:service http; reference:bugtraq,31987; reference:cve,2008-4922; classtype:attempted-user; sid:16745; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service http; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16741; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; fast_pattern:only; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Remediation client ActiveX control access attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28 27|Enginecom.imagineLANEngine.1|27 29 3B|"; fast_pattern:only; metadata:service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; classtype:attempted-user; sid:16729; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ActivePDF WebGrabber APWebGrb.ocx GetStatus method overflow attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28 27|APWebGrabber.Object|27 29 3B|"; fast_pattern:only; content:".GetStatus|28|"; nocase; metadata:service http; classtype:attempted-user; sid:16725; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"unescape|28|"; within:300; nocase; metadata:service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SoftArtisans XFile FileManager ActiveX Control access attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28 27|SoftArtisans|2E|FileManager|2E|1|27 29 3B|"; fast_pattern:only; metadata:service http; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:16714; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS E-Book Systems FlipViewer FlipViewerX.dll activex clsid access ActiveX clsid access"; flow:to_client,established; file_data; content:"BA83FD38-CE14-4DA3-BEF5-96050D55F78A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA83FD38-CE14-4DA3-BEF5-96050D55F78A\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service http; reference:bugtraq,24328; reference:cve,2007-2919; classtype:attempted-user; sid:16711; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt"; flow:to_client,established; file_data; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; fast_pattern:only; content:".Initialize|28|"; nocase; content:"unescape|28|"; nocase; rawbytes; metadata:service http; reference:bugtraq,37133; reference:cve,2009-4225; classtype:attempted-user; sid:16704; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; content:"ProductName"; nocase; pcre:"/\]*?name\s*=\s*(?P\x22|\x27|)?ProductName(?P=q)[^\>]+?value\s*=\s*(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\s\>]{500})/i"; metadata:service http; reference:bugtraq,17712; reference:cve,2006-2086; classtype:attempted-user; sid:16687; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Access Support ActiveX GetXMLValue method buffer overflow attempt"; flow:to_client,established; file_data; content:".GetXMLValue"; fast_pattern; content:"String.fromCharCode"; pcre:"/String\x2EfromCharCode\s*\x28(?=[^\x29]*?0x\d+)[^\x29]*?\d{2}/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16610; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; content:"Import"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26130; reference:bugtraq,30379; reference:cve,2007-5601; reference:cve,2008-3066; classtype:attempted-user; sid:16609; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Mercury Quality Center SPIDERLib ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid=|27|clsid|3A|98C53984-8BF8-4D11-9B1C-C324FCA9CADE|27|"; fast_pattern:only; metadata:service http; reference:bugtraq,23239; reference:cve,2007-1819; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872; classtype:attempted-user; sid:16608; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RAM Download Handler ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid=|27|clsid|3A|2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93|27|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:16607; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectShow 3 ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0369B4E5-45B6-11D3-B650-00C04F79498E'|3B|"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:16602; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; fast_pattern:only; content:".CompleteInstallation|28|"; metadata:service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle EasyMail Objects ActiveX exploit attempt"; flow:to_client,established; file_data; content:"|23| CLSID|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; fast_pattern:only; metadata:service http; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16590; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access"; flow:to_server,established; file_data; content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?3F0EECCE-E138-11D1-8712-0060083D83F5/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Persits Software XUpload ActiveX clsid unsafe function access attempt"; flow:to_client,established; file_data; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; fast_pattern:only; pcre:"/\x2E(AddFolder|AddFile|MakeHttpRequest)/i"; metadata:service http; reference:bugtraq,27025; reference:bugtraq,27456; reference:bugtraq,36550; reference:cve,2007-6530; reference:cve,2008-0492; reference:cve,2009-3693; classtype:attempted-user; sid:16581; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioFile2 ActiveX clsid access via object tag"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS RKD Software BarCode ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"classid='clsid|3A|C26D9CA8-6747-11D5-AD4B-C01857C10000'"; content:"String"; distance:0; content:"unescape"; distance:0; metadata:service http; reference:bugtraq,24596; reference:cve,2007-3435; classtype:attempted-user; sid:16575; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape"; flow:to_client,established; file_data; content:"ActiveXObject|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/new\s*ActiveXObject\(\s*unescape\(/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16573; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EnjoySAP kweditcontrol ActiveX function call access"; flow:to_client,established; file_data; content:"kweditcontrol.kwedit"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22kweditcontrol\.kwedit(\.\d)?\x22|\x27kweditcontrol\.kwedit(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(PrepareToPostHTML|Comp_Download)\s*|.*(?P=v)\s*\.\s*(PrepareToPostHTML|Comp_Download)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22kweditcontrol\.kwedit(\.\d)?\x22|\x27kweditcontrol\.kwedit(\.\d)?\x27)\s*\)(\s*\.\s*(PrepareToPostHTML|Comp_Download)\s*|.*(?P=n)\s*\.\s*(PrepareToPostHTML|Comp_Download)\s*)/smiO"; metadata:service http; reference:bugtraq,24772; reference:bugtraq,34524; reference:cve,2007-3605; reference:cve,2008-4830; classtype:attempted-user; sid:16571; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EnjoySAP kweditcontrol ActiveX clsid access"; flow:to_client,established; file_data; content:"2137278D-EF5C-11D3-96CE-0004AC965257"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2137278D-EF5C-11D3-96CE-0004AC965257\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(PrepareToPostHTML|Comp_Download)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2137278D-EF5C-11D3-96CE-0004AC965257\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(PrepareToPostHTML|Comp_Download))/siO"; metadata:service http; reference:bugtraq,24772; reference:bugtraq,34524; reference:cve,2007-3605; reference:cve,2008-4830; classtype:attempted-user; sid:16569; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Altnet Download Manager ADM4 ActiveX clsid access"; flow:to_client,established; file_data; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; fast_pattern:only; metadata:service http; reference:bugtraq,25903; reference:cve,2007-5217; classtype:attempted-user; sid:16568; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tumbleweed SecureTransport ActiveX clsid access"; flow:to_client,established; file_data; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; content:"TransferFile"; distance:0; metadata:service http; reference:bugtraq,28662; reference:cve,2008-1724; classtype:attempted-user; sid:16566; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access"; flow:to_client,established; file_data; content:"00989888-BB72-4E31-A7C6-5F819C24D2F7"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?00989888-BB72-4E31-A7C6-5F819C24D2F7/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30861; reference:cve,2008-3878; classtype:attempted-user; sid:16565; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro Web Deployment ActiveX clsid access"; flow:to_client,established; file_data; content:"5EFE8CB1-D095-11D1-88FC-0080C859833B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EFE8CB1-D095-11D1-88FC-0080C859833B\s*}?\s*(?P=q1)(\s|>)/siO"; content:"]+VALUE\s*=\s*(?P\x22|\x27|)[^>]{200}(?P=q2)/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30407; reference:cve,2008-3364; classtype:attempted-user; sid:16432; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX function call access"; flow:to_client,established; file_data; content:"AcroPDF.PDF"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22AcroPDF\.PDF(\.\d)?\x22|\x27AcroPDF\.PDF(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*execCommand\s*|.*(?P=v)\s*\.\s*execCommand\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AcroPDF\.PDF(\.\d)?\x22|\x27AcroPDF\.PDF(\.\d)?\x27)\s*\)(\s*\.\s*execCommand\s*|.*(?P=n)\s*\.\s*execCommand\s*)\s*\(/smiO"; metadata:service http; reference:cve,2009-2987; classtype:attempted-user; sid:16388; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access"; flow:to_client,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA8A9780-280D-11CF-A24D-444553540000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(execCommand)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA8A9780-280D-11CF-A24D-444553540000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(execCommand))\s*\(/siO"; metadata:service http; reference:cve,2009-2987; classtype:attempted-user; sid:16386; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP AG SAPgui sapirrfc ActiveX clsid access"; flow:to_client,established; file_data; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Accept)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Accept))/siO"; metadata:service http; reference:bugtraq,35256; reference:url,service.sap.com/sap/support/notes/1286637; classtype:attempted-user; sid:16379; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player DHTML Editing ActiveX clsid access"; flow:to_client,established; file_data; content:"execCommand|28 22|copy|22 29 3B|"; nocase; content:"2D360201-FFF5-11d1-8D03-00A0C959BC0A"; distance:0; metadata:service http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:16340; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Altiris.AeXNSConsoleUtilities"; fast_pattern:only; pcre:"/(BrowseAndSaveFile|RunCMD)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:16307; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; fast_pattern:only; pcre:"/(BrowseAndSaveFile|RunCMD)/i"; metadata:service smtp; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:16305; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Add-in for SQL Analysis Services 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"3267123E-530D-4E73-9DA7-79F01D86A89F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3267123E-530D-4E73-9DA7-79F01D86A89F\s*}?\s*(?P=q7)(\s|>)/si"; metadata:service http; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16165; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Add-in for SQL Analysis Services 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"15721a53-8448-4731-8bfc-ed11e128e444"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*15721a53-8448-4731-8bfc-ed11e128e444\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16163; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Add-in for SQL Analysis Services 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"DB640C86-731C-484A-AAAF-750656C9187D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DB640C86-731C-484A-AAAF-750656C9187D\s*}?\s*(?P=q3)(\s|>)/si"; metadata:service http; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16161; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Add-in for SQL Analysis Services 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"27A3D328-D206-4106-8D33-1AA39B13394B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*27A3D328-D206-4106-8D33-1AA39B13394B\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16159; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music Jukebox ActiveX exploit"; flow:to_client,established; file_data; content:"buf = buf + unescape|28 22|%u"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27578; reference:bugtraq,27579; reference:cve,2008-0624; reference:cve,2008-0625; classtype:attempted-user; sid:16068; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PPStream PPSMediaList ActiveX function call access"; flow:to_client,established; file_data; content:"PPSMEDIALIST.PPSMediaListCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x22|\x27PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x22|\x27PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:bugtraq,36234; classtype:attempted-user; sid:15928; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PPStream PPSMediaList ActiveX clsid access"; flow:to_client,established; file_data; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:bugtraq,36234; classtype:attempted-user; sid:15926; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access"; flow:to_client,established; file_data; content:"DHTMLSafe.DHTMLSafe"; fast_pattern:only; content:"LoadURL"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:bugtraq,36280; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:15924; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AcerCtrls.APlunch ActiveX clsid access"; flow:to_client,established; file_data; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3895DD35-7573-11D2-8FED-00606730D3AA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Run)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3895DD35-7573-11D2-8FED-00606730D3AA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Run))\s*\(/siO"; metadata:service http; reference:cve,2009-2627; reference:url,www.kb.cert.org/vuls/id/485961; classtype:attempted-user; sid:15878; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15855; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components Datasource ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E543-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E543-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15852; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding"; flow:to_client,established; file_data; content:".|00 00 00|c|00 00 00|l|00 00 00|a|00 00 00|s|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00|=|00 00 00|'|00 00 00|c|00 00 00|l|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00 3A 00 00 00|0|00 00 00|9|00 00 00|5|00 00 00|5|00 00 00|A|00 00 00|C|00 00 00|6|00 00 00|2|00 00 00|-|00 00 00|B|00 00 00|F|00 00 00|2|00 00 00|E|00 00 00|-|00 00 00|4|00 00 00|C|00 00 00|B|00 00 00|A|00 00 00|-|00 00 00|A|00 00 00|2|00 00 00|B|00 00 00|9|00 00 00|-|00 00 00|A|00 00 00|6|00 00 00|3|00 00 00|F|00 00 00|7|00 00 00|7|00 00 00|2|00 00 00|D|00 00 00|4|00 00 00|6|00 00 00|C|00 00 00|F|00 00 00|'|00 00 00 3B|"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15679; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"1C15D484-911D-11D2-B632-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1C15D484-911D-11D2-B632-00C04F79498E\s*}?\s*(?P=q89)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15676; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 8 ActiveX clsid access"; flow:to_client,established; file_data; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q87)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15674; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 6 ActiveX function call"; flow:to_client,established; file_data; content:"BDATuner.MPEG2TuneRequest"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35558; reference:cve,2008-0015; reference:cve,2009-0901; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; classtype:attempted-user; sid:15671; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"055CB2D7-2969-45CD-914B-76890722F112"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*055CB2D7-2969-45CD-914B-76890722F112\s*}?\s*(?P=q81)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15668; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 45 ActiveX clsid access"; flow:to_client,established; file_data; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA7C375B-66A7-4280-879D-FD459C84BB02\s*}?\s*(?P=q79)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15666; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 44 ActiveX clsid access"; flow:to_client,established; file_data; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E\s*}?\s*(?P=q77)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15664; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 43 ActiveX clsid access"; flow:to_client,established; file_data; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q75)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15662; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 42 ActiveX clsid access"; flow:to_client,established; file_data; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91\s*}?\s*(?P=q73)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15660; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 41 ActiveX clsid access"; flow:to_client,established; file_data; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7\s*}?\s*(?P=q71)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15658; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 40 ActiveX clsid access"; flow:to_client,established; file_data; content:"C5702CD0-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CD0-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q69)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15656; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0369B4E6-45B6-11D3-B650-00C04F79498E\s*}?\s*(?P=q67)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15654; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 39 ActiveX clsid access"; flow:to_client,established; file_data; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCF-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q65)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15652; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 38 ActiveX clsid access"; flow:to_client,established; file_data; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCE-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q63)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15650; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 37 ActiveX clsid access"; flow:to_client,established; file_data; content:"C5702CCD-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCD-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q61)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15648; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 36 ActiveX clsid access"; flow:to_client,established; file_data; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCC-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q59)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15646; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 35 ActiveX clsid access"; flow:to_client,established; file_data; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C531D9FD-9685-4028-8B68-6E1232079F1E\s*}?\s*(?P=q57)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15644; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 34 ActiveX clsid access"; flow:to_client,established; file_data; content:"BB530C63-D9DF-4B49-9439-63453962E598"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BB530C63-D9DF-4B49-9439-63453962E598\s*}?\s*(?P=q55)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15642; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 33 ActiveX clsid access"; flow:to_client,established; file_data; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B64016F3-C9A2-4066-96F0-BD9563314726\s*}?\s*(?P=q53)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15640; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD8E510D-217F-409B-8076-29C5E73B98E8\s*}?\s*(?P=q49)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15636; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 30 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE\s*}?\s*(?P=q47)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15634; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0369B4E5-45B6-11D3-B650-00C04F79498E\s*}?\s*(?P=q45)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15632; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 29 ActiveX clsid access"; flow:to_client,established; file_data; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A2E30750-6C3D-11D3-B653-00C04F79498E\s*}?\s*(?P=q43)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15630; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 28 ActiveX clsid access"; flow:to_client,established; file_data; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E\s*}?\s*(?P=q41)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15628; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 27 ActiveX clsid access"; flow:to_client,established; file_data; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q39)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15626; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 26 ActiveX clsid access"; flow:to_client,established; file_data; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C\s*}?\s*(?P=q37)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15624; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 25 ActiveX clsid access"; flow:to_client,established; file_data; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9CD64701-BDF3-4D14-8E03-F12983D86664\s*}?\s*(?P=q35)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15622; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 24 ActiveX clsid access"; flow:to_client,established; file_data; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E\s*}?\s*(?P=q33)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15620; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 23 ActiveX clsid access"; flow:to_client,established; file_data; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E\s*}?\s*(?P=q31)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15618; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 22 ActiveX clsid access"; flow:to_client,established; file_data; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB\s*}?\s*(?P=q29)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15616; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 21 ActiveX clsid access"; flow:to_client,established; file_data; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*823535A0-0318-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q27)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15614; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 20 ActiveX clsid access"; flow:to_client,established; file_data; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3\s*}?\s*(?P=q25)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15612; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0149EEDF-D08F-4142-8D73-D23903D21E90\s*}?\s*(?P=q23)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15610; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 19 ActiveX clsid access"; flow:to_client,established; file_data; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q21)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15608; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 18 ActiveX clsid access"; flow:to_client,established; file_data; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4\s*}?\s*(?P=q19)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15606; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 17 ActiveX clsid access"; flow:to_client,established; file_data; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42\s*}?\s*(?P=q17)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15604; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 16 ActiveX clsid access"; flow:to_client,established; file_data; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*418008F3-CF67-4668-9628-10DC52BE1D08\s*}?\s*(?P=q15)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15602; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 15 ActiveX clsid access"; flow:to_client,established; file_data; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B03544-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q13)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15600; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 14 ActiveX clsid access"; flow:to_client,established; file_data; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B03543-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q11)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15598; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 13 ActiveX clsid access"; flow:to_client,established; file_data; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B0353C-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q9)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15596; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 12 ActiveX clsid access"; flow:to_client,established; file_data; content:"334125C0-77E5-11D3-B653-00C04F79498E"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*334125C0-77E5-11D3-B653-00C04F79498E\s*}?\s*(?P=q7)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15594; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 11 ActiveX clsid access"; flow:to_client,established; file_data; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C\s*}?\s*(?P=q5)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15592; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 10 ActiveX clsid access"; flow:to_client,established; file_data; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333\s*}?\s*(?P=q3)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15590; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; fast_pattern:only; pcre:"/classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*011B3619-FE63-4814-8A84-15A194CE9CE3\s*}?\s*(?P=q1)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15588; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP AG SAPgui EnjoySAP ActiveX clsid access"; flow:to_client,established; file_data; content:"F6908F83-ADA6-11D0-87AA-00AA00198702"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6908F83-ADA6-11D0-87AA-00AA00198702\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Accept)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6908F83-ADA6-11D0-87AA-00AA00198702\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Accept))\s*\(/siO"; metadata:service http; reference:bugtraq,35256; classtype:attempted-user; sid:15557; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS eBay Picture Uploads control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:service http; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15551; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS eBay Picture Uploads control 1 ActiveX function call access"; flow:to_client,established; file_data; content:"EPUWalControl.EPUImageControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EPUWalControl\.EPUImageControl(\.\d)?\x22|\x27EPUWalControl\.EPUImageControl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EPUWalControl\.EPUImageControl(\.\d)?\x22|\x27EPUWalControl\.EPUImageControl(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15549; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS eBay Picture Uploads control 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:service http; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15547; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Communications Control v6 ActiveX function call access"; flow:to_client,established; file_data; content:"MSCOMMLib.MSComm"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MSCOMMLib\.MSComm(\.\d)?\x22|\x27MSCOMMLib\.MSComm(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSCOMMLib\.MSComm(\.\d)?\x22|\x27MSCOMMLib\.MSComm(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15545; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Communications Control v6 ActiveX clsid access"; flow:to_client,established; file_data; content:"648A5600-2C6E-101B-82B6-000000000014"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*648A5600-2C6E-101B-82B6-000000000014\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15543; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Virtual Rooms v7 ActiveX clsid access"; flow:to_client,established; file_data; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000032-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q16)(\s|>)/siO"; metadata:service http; reference:bugtraq,33918; reference:cve,2009-0208; classtype:attempted-user; sid:15380; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sopcast SopCore ActiveX function call access"; flow:to_client,established; file_data; content:"SOPCORE.SopCoreCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SOPCORE\.SopCoreCtrl(\.\d)?\x22|\x27SOPCORE\.SopCoreCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetExternalPlayer\s*|.*(?P=v)\s*\.\s*SetExternalPlayer\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SOPCORE\.SopCoreCtrl(\.\d)?\x22|\x27SOPCORE\.SopCoreCtrl(\.\d)?\x27)\s*\)(\s*\.\s*SetExternalPlayer\s*|.*(?P=n)\s*\.\s*SetExternalPlayer\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33920; reference:cve,2009-0811; classtype:attempted-user; sid:15378; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sopcast SopCore ActiveX clsid access"; flow:to_client,established; file_data; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8FEFF364-6A5F-4966-A917-A3AC28411659\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(SetExternalPlayer)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8FEFF364-6A5F-4966-A917-A3AC28411659\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SetExternalPlayer))\s*\(/siO"; metadata:service http; reference:bugtraq,33920; reference:cve,2009-0811; classtype:attempted-user; sid:15376; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iDefense COMRaider ActiveX function call access"; flow:to_client,established; file_data; content:"vbDevKit.CVariantFileSystem"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vbDevKit\.CVariantFileSystem(\.\d)?\x22|\x27vbDevKit\.CVariantFileSystem(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=v)\s*\.\s*DeleteFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vbDevKit\.CVariantFileSystem(\.\d)?\x22|\x27vbDevKit\.CVariantFileSystem(\.\d)?\x27)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=n)\s*\.\s*DeleteFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33867; classtype:attempted-user; sid:15374; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iDefense COMRaider ActiveX clsid access"; flow:to_client,established; file_data; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9A077D0D-B4A6-4EC0-B6CF-98526DF589E4\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9A077D0D-B4A6-4EC0-B6CF-98526DF589E4\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(DeleteFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33867; classtype:attempted-user; sid:15372; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FathFTP ActiveX function call access"; flow:to_client,established; file_data; content:"FathFTP.FathFTPCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22FathFTP\.FathFTPCtrl(\.\d)?\x22|\x27FathFTP\.FathFTPCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=v)\s*\.\s*DeleteFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FathFTP\.FathFTPCtrl(\.\d)?\x22|\x27FathFTP\.FathFTPCtrl(\.\d)?\x27)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=n)\s*\.\s*DeleteFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33842; classtype:attempted-user; sid:15370; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FathFTP ActiveX clsid access"; flow:to_client,established; file_data; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33842; classtype:attempted-user; sid:15368; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Web on Windows ActiveX function call access"; flow:to_client,established; file_data; content:"All_In_The_Box.AllBox"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteIniFileString|ShellExecute)\s*|.*(?P=v)\s*\.\s*(WriteIniFileString|ShellExecute)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\)(\s*\.\s*(WriteIniFileString|ShellExecute)\s*|.*(?P=n)\s*\.\s*(WriteIniFileString|ShellExecute)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33515; reference:cve,2009-0389; classtype:attempted-user; sid:15352; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Web on Windows ActiveX clsid access"; flow:to_client,established; file_data; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*441E9D47-9F52-11D6-9672-0080C88B3613\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(WriteIniFileString|ShellExecute)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*441E9D47-9F52-11D6-9672-0080C88B3613\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\.(WriteIniFileString|ShellExecute))\s*\(/siO"; metadata:service http; reference:bugtraq,33515; reference:cve,2009-0389; classtype:attempted-user; sid:15350; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Synactis ALL In-The-Box ActiveX function call access"; flow:to_client,established; file_data; content:"All_In_The_Box.AllBox"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveDoc\s*|.*(?P=v)\s*\.\s*SaveDoc\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\)(\s*\.\s*SaveDoc\s*|.*(?P=n)\s*\.\s*SaveDoc\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33535; reference:cve,2009-0465; classtype:attempted-user; sid:15348; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Synactis ALL In-The-Box ActiveX clsid access"; flow:to_client,established; file_data; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B5576893-F948-4E0F-9BE1-A37CB56D66FF\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(SaveDoc)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B5576893-F948-4E0F-9BE1-A37CB56D66FF\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\.(SaveDoc))\s*\(/siO"; metadata:service http; reference:bugtraq,33535; reference:cve,2009-0465; classtype:attempted-user; sid:15346; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 8200 ActiveX function call access"; flow:to_client,established; file_data; content:"LiveX_v8200"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LiveX_v8200(\.\d)?\x22|\x27LiveX_v8200(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v8200(\.\d)?\x22|\x27LiveX_v8200(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15344; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 8200 ActiveX clsid access"; flow:to_client,established; file_data; content:"8D58D690-6B71-4EE8-85AD-006DB0287BF1"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D58D690-6B71-4EE8-85AD-006DB0287BF1\s*}?\s*(?P=q17)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D58D690-6B71-4EE8-85AD-006DB0287BF1\s*}?\s*(?P=q18)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15342; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 8120 ActiveX function call access"; flow:to_client,established; file_data; content:"LiveX_v8120"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LiveX_v8120(\.\d)?\x22|\x27LiveX_v8120(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v8120(\.\d)?\x22|\x27LiveX_v8120(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15340; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 8120 ActiveX clsid access"; flow:to_client,established; file_data; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4421170-DB22-4551-BBFB-FFCFFB419F6F\s*}?\s*(?P=q12)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4421170-DB22-4551-BBFB-FFCFFB419F6F\s*}?\s*(?P=q13)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15338; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 7000 ActiveX function call access"; flow:to_client,established; file_data; content:"LiveX_v7000"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LiveX_v7000(\.\d)?\x22|\x27LiveX_v7000(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v7000(\.\d)?\x22|\x27LiveX_v7000(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15336; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveX 7000 ActiveX clsid access"; flow:to_client,established; file_data; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA8484DE-52DB-4860-A986-61A8682E298A\s*}?\s*(?P=q7)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA8484DE-52DB-4860-A986-61A8682E298A\s*}?\s*(?P=q8)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15334; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Nokia Phoenix Service 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"929A0D77-044A-497F-8FDF-8EDE81F6251A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*929A0D77-044A-497F-8FDF-8EDE81F6251A\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(SelectDevice)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*929A0D77-044A-497F-8FDF-8EDE81F6251A\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SelectDevice))\s*\(/siO"; metadata:service http; reference:bugtraq,33726; classtype:attempted-user; sid:15332; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Nokia Phoenix Service 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"F85B4A10-B530-4D68-A714-7415838FD174"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F85B4A10-B530-4D68-A714-7415838FD174\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SelectDevice)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F85B4A10-B530-4D68-A714-7415838FD174\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SelectDevice))\s*\(/siO"; metadata:service http; reference:bugtraq,33726; classtype:attempted-user; sid:15330; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Akamai DownloadManager ActiveX function call access"; flow:to_client,established; file_data; content:"MANAGER.DLMCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MANAGER\.DLMCtrl(\.\d)?\x22|\x27MANAGER\.DLMCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MANAGER\.DLMCtrl(\.\d)?\x22|\x27MANAGER\.DLMCtrl(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15317; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Akamai DownloadManager ActiveX clsid access"; flow:to_client,established; file_data; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:service http; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15315; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX function call access"; flow:to_client,established; file_data; content:"RIM.AxLoader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22RIM\.AxLoader(\.\d)?\x22|\x27RIM\.AxLoader(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RIM\.AxLoader(\.\d)?\x22|\x27RIM\.AxLoader(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15313; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Animation Control ActiveX function call access"; flow:to_client,established; file_data; content:"ComCtl2.Animation"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ComCtl2\.Animation(\.\d)?\x22|\x27ComCtl2\.Animation(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ComCtl2\.Animation(\.\d)?\x22|\x27ComCtl2\.Animation(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15309; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Animation Control ActiveX clsid access"; flow:to_client,established; file_data; content:"1E216240-1B7D-11CF-9D53-00AA003C9CB6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1E216240-1B7D-11CF-9D53-00AA003C9CB6\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15307; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioInformation2 ActiveX function call access"; flow:to_client,established; file_data; content:"NCTAudioInformation2.AudioInformation2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCTAudioInformation2\.AudioInformation2(\.\d)?\x22|\x27NCTAudioInformation2\.AudioInformation2(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*|.*(?P=v)\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioInformation2\.AudioInformation2(\.\d)?\x22|\x27NCTAudioInformation2\.AudioInformation2(\.\d)?\x27)\s*\)(\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*|.*(?P=n)\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*)\s*\(/smiO"; metadata:service http; reference:cve,2008-0959; reference:url,www.kb.cert.org/vuls/id/669265; classtype:attempted-user; sid:15290; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioInformation2 ActiveX clsid access"; flow:to_client,established; file_data; content:"AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(GetAudioInformation|SetAudioInformation)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m18)(\s|>).*(?P=id2)\.(GetAudioInformation|SetAudioInformation))\s*\(/siO"; metadata:service http; reference:cve,2008-0959; reference:url,www.kb.cert.org/vuls/id/669265; classtype:attempted-user; sid:15288; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioGrabber2 ActiveX function call access"; flow:to_client,established; file_data; content:"NCTAudioGrabber2.AudioGrabber2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x22|\x27NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*|.*(?P=v)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x22|\x27NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x27)\s*\)(\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*|.*(?P=n)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript))\s*=/smiO"; metadata:service http; reference:cve,2008-0958; reference:url,www.kb.cert.org/vuls/id/656593; classtype:attempted-user; sid:15286; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioGrabber2 ActiveX clsid access"; flow:to_client,established; file_data; content:"34A261F9-FC34-47F8-A35C-75FB73BB1358"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34A261F9-FC34-47F8-A35C-75FB73BB1358\s*}?\s*(?P=q32)(\s|>).*(?P=id1)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34A261F9-FC34-47F8-A35C-75FB73BB1358\s*}?\s*(?P=q33)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m16)(\s|>).*(?P=id2)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript))\s*=/siO"; metadata:service http; reference:cve,2008-0958; reference:url,www.kb.cert.org/vuls/id/656593; classtype:attempted-user; sid:15284; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FlexCell Grid ActiveX clsid access"; flow:to_client,established; file_data; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A7D9CCE-211A-4654-9449-718F71ED9644\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(SaveFile|ExportToXML)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A7D9CCE-211A-4654-9449-718F71ED9644\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\.(SaveFile|ExportToXML))\s*\(/siO"; metadata:service http; reference:bugtraq,33453; reference:cve,2009-0301; classtype:attempted-user; sid:15282; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX function call access"; flow:to_client,established; file_data; content:"AZTEC.MW6Aztec"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AZTEC\.MW6Aztec(\.\d)?\x22|\x27AZTEC\.MW6Aztec(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AZTEC\.MW6Aztec(\.\d)?\x22|\x27AZTEC\.MW6Aztec(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:service http; reference:cve,2008-4923; classtype:attempted-user; sid:15280; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_client,established; file_data; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F359732D-D020-40ED-83FF-F381EFE36B54\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F359732D-D020-40ED-83FF-F381EFE36B54\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:service http; reference:cve,2008-4923; classtype:attempted-user; sid:15278; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies DataMatrix ActiveX function call access"; flow:to_client,established; file_data; content:"DATAMATRIX.MW6DataMatrix"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DATAMATRIX\.MW6DataMatrix(\.\d)?\x22|\x27DATAMATRIX\.MW6DataMatrix(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DATAMATRIX\.MW6DataMatrix(\.\d)?\x22|\x27DATAMATRIX\.MW6DataMatrix(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:service http; reference:cve,2008-4925; classtype:attempted-user; sid:15276; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies DataMatrix ActiveX clsid access"; flow:to_client,established; file_data; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE7DA0B5-7D7B-4CEA-8739-65CF600D511E\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE7DA0B5-7D7B-4CEA-8739-65CF600D511E\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:service http; reference:cve,2008-4925; classtype:attempted-user; sid:15274; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies PDF417 ActiveX function call access"; flow:to_client,established; file_data; content:"MW6PDF417.PDF417"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MW6PDF417\.PDF417(\.\d)?\x22|\x27MW6PDF417\.PDF417(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MW6PDF417\.PDF417(\.\d)?\x22|\x27MW6PDF417\.PDF417(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:service http; reference:cve,2008-4926; classtype:attempted-user; sid:15272; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies PDF417 ActiveX clsid access"; flow:to_client,established; file_data; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90D2A875-5024-4CCD-80AA-C8A353DB2B45\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90D2A875-5024-4CCD-80AA-C8A353DB2B45\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:service http; reference:cve,2008-4926; classtype:attempted-user; sid:15270; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Barcode ActiveX function call access"; flow:to_client,established; file_data; content:"Barcode.MW6Barcode"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Barcode\.MW6Barcode(\.\d)?\x22|\x27Barcode\.MW6Barcode(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*|.*(?P=v)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Barcode\.MW6Barcode(\.\d)?\x22|\x27Barcode\.MW6Barcode(\.\d)?\x27)\s*\)(\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*|.*(?P=n)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF))\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:15268; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MetaProducts MetaTreeX ActiveX function call access"; flow:to_client,established; file_data; content:"SaveToBMP.MetaTreeX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SaveToBMP\.MetaTreeX(\.\d)?\x22|\x27SaveToBMP\.MetaTreeX(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToBMP\s*|.*(?P=v)\s*\.\s*SaveToBMP\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SaveToBMP\.MetaTreeX(\.\d)?\x22|\x27SaveToBMP\.MetaTreeX(\.\d)?\x27)\s*\)(\s*\.\s*SaveToBMP\s*|.*(?P=n)\s*\.\s*SaveToBMP\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33318; classtype:attempted-user; sid:15253; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MetaProducts MetaTreeX ActiveX clsid access"; flow:to_client,established; file_data; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67E66985-F81A-11D6-BC0F-F7B40157DC26\s*}?\s*(?P=q12)(\s|>).*(?P=id1)\s*\.\s*(SaveToBMP)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67E66985-F81A-11D6-BC0F-F7B40157DC26\s*}?\s*(?P=q13)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveToBMP))\s*\(/siO"; metadata:service http; reference:bugtraq,33318; classtype:attempted-user; sid:15251; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SmartVMD ActiveX clsid access"; flow:to_client,established; file_data; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(SaveMaskToFile|StartVideoSaving)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveMaskToFile|StartVideoSaving))\s*\(/siO"; metadata:service http; reference:bugtraq,33348; reference:bugtraq,33349; classtype:attempted-user; sid:15249; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS JamDTA ActiveX clsid access"; flow:to_client,established; file_data; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33345; classtype:attempted-user; sid:15247; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AXIS Camera ActiveX function call access"; flow:to_client,established; file_data; content:"CamImage.CamImage"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CamImage\.CamImage(\.\d)?\x22|\x27CamImage\.CamImage(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*image_pan_tilt\s*|.*(?P=v)\s*\.\s*image_pan_tilt\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CamImage\.CamImage(\.\d)?\x22|\x27CamImage\.CamImage(\.\d)?\x27)\s*\)(\s*\.\s*image_pan_tilt\s*|.*(?P=n)\s*\.\s*image_pan_tilt)\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33408; reference:cve,2008-5260; classtype:attempted-user; sid:15245; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Easy Grid ActiveX function call access"; flow:to_client,established; file_data; content:"EasyGrid.SGCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EasyGrid\.SGCtrl(\.\d)?\x22|\x27EasyGrid\.SGCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*|.*(?P=v)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EasyGrid\.SGCtrl(\.\d)?\x22|\x27EasyGrid\.SGCtrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*|.*(?P=n)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,33272; reference:cve,2009-0134; classtype:attempted-user; sid:15234; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Easy Grid ActiveX clsid access"; flow:to_client,established; file_data; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DD44C0EA-B2CF-31D1-8DD3-444553540000\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DD44C0EA-B2CF-31D1-8DD3-444553540000\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\.(DoSaveHTMLFile|DoSaveFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33272; reference:cve,2009-0134; classtype:attempted-user; sid:15232; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ciansoft PDFBuilderX ActiveX clsid access"; flow:to_client,established; file_data; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00E7C7F8-71E2-498A-AB28-A3D72FC74485\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00E7C7F8-71E2-498A-AB28-A3D72FC74485\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/siO"; metadata:service http; reference:bugtraq,33233; classtype:attempted-user; sid:15228; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SizerOne ActiveX function call access"; flow:to_client,established; file_data; content:"TabOne.TabOne"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TabOne\.TabOne(\.\d)?\x22|\x27TabOne\.TabOne(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddTab\s*|.*(?P=v)\s*\.\s*AddTab\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TabOne\.TabOne(\.\d)?\x22|\x27TabOne\.TabOne(\.\d)?\x27)\s*\)(\s*\.\s*AddTab\s*|.*(?P=n)\s*\.\s*AddTab\s*)\s*\(/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:15194; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX clsid access"; flow:to_client,established; file_data; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0297D24A-F425-47EE-9F3B-A459BCE593E3\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(Get)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0297D24A-F425-47EE-9F3B-A459BCE593E3\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(Get))\s*\(/siO"; metadata:service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:15181; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro HouseCall ActiveX function call access"; flow:to_client,established; file_data; content:"XSCAN.XscanCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22XSCAN\.XscanCtrl(\.\d)?\x22|\x27XSCAN\.XscanCtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*notifyOnLoadNative\s*|.*(?P=v)\s*\.\s*notifyOnLoadNative\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22XSCAN\.XscanCtrl(\.\d)?\x22|\x27XSCAN\.XscanCtrl(\.\d)?\x27)\s*\)(\s*\.\s*notifyOnLoadNative\s*|.*(?P=n)\s*\.\s*notifyOnLoadNative\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,32950; reference:bugtraq,32965; reference:cve,2008-2434; reference:cve,2008-2435; classtype:attempted-user; sid:15179; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro HouseCall ActiveX clsid access"; flow:to_client,established; file_data; content:"74D05D43-3236-11D4-BDCD-00C04F9A3B61"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74D05D43-3236-11D4-BDCD-00C04F9A3B61\s*}?\s*(?P=q5)(\s|>).*(?P=id1)\s*\.\s*(notifyOnLoadNative)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74D05D43-3236-11D4-BDCD-00C04F9A3B61\s*}?\s*(?P=q6)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(notifyOnLoadNative))\s*\(/siO"; metadata:service http; reference:bugtraq,32950; reference:bugtraq,32965; reference:cve,2008-2434; reference:cve,2008-2435; classtype:attempted-user; sid:15177; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phoenician Casino ActiveX function call access"; flow:to_client,established; file_data; content:"FlashAX.FlashXControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22FlashAX\.FlashXControl(\.\d)?\x22|\x27FlashAX\.FlashXControl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FlashAX\.FlashXControl(\.\d)?\x22|\x27FlashAX\.FlashXControl(\.\d)?\x27)\s*\)/smiO"; metadata:service http; reference:bugtraq,32901; reference:cve,2008-5691; classtype:attempted-user; sid:15175; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phoenician Casino ActiveX clsid access"; flow:to_client,established; file_data; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8089245-3211-40F6-819B-9E5E92CD61A2\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:bugtraq,32901; reference:cve,2008-5691; classtype:attempted-user; sid:15173; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Evans FTP ActiveX function call access"; flow:to_client,established; file_data; content:"EvansFTP.eFtpEz"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EvansFTP\.eFtpEz(\.\d)?\x22|\x27EvansFTP\.eFtpEz(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*|.*(?P=v)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EvansFTP\.eFtpEz(\.\d)?\x22|\x27EvansFTP\.eFtpEz(\.\d)?\x27)\s*\)(\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*|.*(?P=n)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,32814; classtype:attempted-user; sid:15161; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Evans FTP ActiveX clsid access"; flow:to_client,established; file_data; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory))\s*\(/siO"; metadata:service http; reference:bugtraq,32814; classtype:attempted-user; sid:15159; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Shell.Explorer 2 ActiveX function call access"; flow:to_client,established; file_data; content:"Shell.Explorer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Shell\.Explorer(\.\d)?\x22|\x27Shell\.Explorer(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Navigate|Navigate2)\s*|.*(?P=v)\s*\.\s*(Navigate|Navigate2)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Shell\.Explorer(\.\d)?\x22|\x27Shell\.Explorer(\.\d)?\x27)\s*\)(\s*\.\s*(Navigate|Navigate2)\s*|.*(?P=n)\s*\.\s*(Navigate|Navigate2)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15112; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Shell.Explorer 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Navigate|Navigate2)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Navigate|Navigate2))/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15109; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic DataGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSDataGridLib.DataGrid"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22MSDataGridLib\.DataGrid(\.\d)?\x22|\x27MSDataGridLib\.DataGrid(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Text\s*|.*(?P=v)\s*\.\s*Text\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSDataGridLib\.DataGrid(\.\d)?\x22|\x27MSDataGridLib\.DataGrid(\.\d)?\x27)\s*\)(\s*\.\s*Text\s*|.*(?P=n)\s*\.\s*Text)\s*=/smiO"; metadata:service http; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15094; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic DataGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"CDE57A43-8B86-11D0-B3C6-00A0C90AEA82"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDE57A43-8B86-11D0-B3C6-00A0C90AEA82\s*}?\s*(?P=q32)(\s|>).*(?P=id1)\s*\.\s*(Text)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDE57A43-8B86-11D0-B3C6-00A0C90AEA82\s*}?\s*(?P=q33)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(Text))\s*=/siO"; metadata:service http; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15092; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access"; flow:to_client,established; file_data; content:"ActiveXObject|28 22|MSChart20Lib.MSChart.2|22 29 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15090; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX clsid access"; flow:to_client,established; file_data; content:"3A2B370C-BA0A-11D1-B137-0000F8753F5D"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3A2B370C-BA0A-11D1-B137-0000F8753F5D\s*}?\s*(?P=q42)(\s|>).*(?P=id1)\s*\.\s*(DoSetCursor)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3A2B370C-BA0A-11D1-B137-0000F8753F5D\s*}?\s*(?P=q43)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\s*\.\s*(DoSetCursor))\s*=/siO"; metadata:service http; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15088; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP AG SAPgui mdrmsap ActiveX clsid access"; flow:to_client,established; file_data; content:"B01952B0-AF66-11D1-B10D-0060086F6D97"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B01952B0-AF66-11D1-B10D-0060086F6D97\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:bugtraq,32186; reference:cve,2008-4387; classtype:attempted-user; sid:15069; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NOS Microsystems / Adobe getPlus Download Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:bugtraq,32105; reference:cve,2008-4817; classtype:attempted-user; sid:15007; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX function call access"; flow:to_client,established; file_data; content:"ChilkatCrypt2.ChilkatCrypt2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x22|\x27ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*WriteFile\s*|.*(?P=v)\s*\.\s*WriteFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x22|\x27ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x27)\s*\)(\s*\.\s*WriteFile\s*|.*(?P=n)\s*\.\s*WriteFile\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:15005; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3352B5B9-82E8-4FFD-9EB1-1A3E60056904\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(WriteFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3352B5B9-82E8-4FFD-9EB1-1A3E60056904\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(WriteFile))\s*\(/siO"; metadata:service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:15003; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Debug Diagnostic Tool ActiveX function call access"; flow:to_client,established; file_data; content:"CrashHangExt.Utils"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CrashHangExt\.Utils(\.\d)?\x22|\x27CrashHangExt\.Utils(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetEntryPointForThread\s*|.*(?P=v)\s*\.\s*GetEntryPointForThread\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CrashHangExt\.Utils(\.\d)?\x22|\x27CrashHangExt\.Utils(\.\d)?\x27)\s*\)(\s*\.\s*GetEntryPointForThread\s*|.*(?P=n)\s*\.\s*GetEntryPointForThread\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,31996; reference:cve,2008-4800; classtype:attempted-user; sid:15001; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Debug Diagnostic Tool ActiveX clsid access"; flow:to_client,established; file_data; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7233D6F8-AD31-440F-BAF0-9E7A292A53DA\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(GetEntryPointForThread)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7233D6F8-AD31-440F-BAF0-9E7A292A53DA\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(GetEntryPointForThread))\s*\(/siO"; metadata:service http; reference:bugtraq,31996; reference:cve,2008-4800; classtype:attempted-user; sid:14999; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DjVu MSOffice Converter ActiveX clsid access"; flow:to_client,established; file_data; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A46B8CD-F7BD-11D4-B1D8-000102290E7C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ImageURL)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A46B8CD-F7BD-11D4-B1D8-000102290E7C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(ImageURL))\s*=/siO"; metadata:service http; reference:bugtraq,31987; reference:cve,2008-4922; classtype:attempted-user; sid:14997; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Visagesoft eXPert PDF Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"VSPDFEditorX.VSPDFEdit"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VSPDFEditorX\.VSPDFEdit(\.\d)?\x22|\x27VSPDFEditorX\.VSPDFEdit(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*savePageAsBitmap\s*|.*(?P=v)\s*\.\s*savePageAsBitmap\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSPDFEditorX\.VSPDFEdit(\.\d)?\x22|\x27VSPDFEditorX\.VSPDFEdit(\.\d)?\x27)\s*\)(\s*\.\s*savePageAsBitmap\s*|.*(?P=n)\s*\.\s*savePageAsBitmap\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,31984; reference:cve,2008-4919; classtype:attempted-user; sid:14995; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Visagesoft eXPert PDF Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(savePageAsBitmap)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(savePageAsBitmap))\s*\(/siO"; metadata:service http; reference:bugtraq,31984; reference:cve,2008-4919; classtype:attempted-user; sid:14993; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Software Update RulesEngine.dll ActiveX function call access"; flow:to_client,established; file_data; content:"HPRulesEngine.ContentCollection"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HPRulesEngine\.ContentCollection\x22|\x27HPRulesEngine\.ContentCollection\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveToFile|LoadFromFile)\s*|.*(?P=v)\s*\.\s*(SaveToFile|LoadFromFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HPRulesEngine\.ContentCollection\x22|\x27HPRulesEngine\.ContentCollection\x27)\s*\)(\s*\.\s*(SaveToFile|LoadFromFile)\s*|.*(?P=n)\s*\.\s*(SaveToFile|LoadFromFile)\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26950; reference:cve,2007-6506; classtype:attempted-user; sid:14897; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Dart Communications PowerTCP FTP ActiveX function call access"; flow:to_client,established; file_data; content:"Dart.Ftp"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Dart\.Ftp\x22|\x27Dart\.Ftp\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SecretKey\s*|.*(?P=v)\s*\.\s*SecretKey\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Dart\.Ftp\x22|\x27Dart\.Ftp\x27)\s*\)(\s*\.\s*SecretKey\s*|.*(?P=n)\s*\.\s*SecretKey)\s*=/Osmi"; metadata:service http; reference:bugtraq,31814; reference:cve,2008-4652; classtype:attempted-user; sid:14780; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Dart Communications PowerTCP FTP ActiveX clsid access"; flow:to_client,established; file_data; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39FDA070-61BA-11D2-AD84-00105A17B608\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SecretKey)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39FDA070-61BA-11D2-AD84-00105A17B608\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SecretKey))\s*=/Osi"; metadata:service http; reference:bugtraq,31814; reference:cve,2008-4652; classtype:attempted-user; sid:14778; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access"; flow:to_client,established; file_data; content:"LPViewer.LPViewer.1"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]\s*?LPViewer\.LPViewer\.1/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:14762; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX function call access"; flow:to_client,established; file_data; content:"SQLVDir.SQLVDirControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SQLVDir\.SQLVDirControl\x22|\x27SQLVDir\.SQLVDirControl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Connect\s*|.*(?P=v)\s*\.\s*Connect\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SQLVDir\.SQLVDirControl\x22|\x27SQLVDir\.SQLVDirControl\x27)\s*\)(\s*\.\s*Connect\s*|.*(?P=n)\s*\.\s*Connect\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14758; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks Desktop Management ActiveX function call access"; flow:to_client,established; file_data; content:"AxNalServer.CAxNalWebInterface"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AxNalServer\.CAxNalWebInterface\x22|\x27AxNalServer\.CAxNalWebInterface\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CanUninstall\s*|.*(?P=v)\s*\.\s*CanUninstall\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxNalServer\.CAxNalWebInterface\x22|\x27AxNalServer\.CAxNalWebInterface\x27)\s*\)(\s*\.\s*CanUninstall\s*|.*(?P=n)\s*\.\s*CanUninstall\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31435; reference:cve,2008-5073; classtype:attempted-user; sid:14754; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks Desktop Management ActiveX clsid access"; flow:to_client,established; file_data; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(CanUninstall)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(CanUninstall))\s*\(/Osi"; metadata:service http; reference:bugtraq,31435; reference:cve,2008-5073; classtype:attempted-user; sid:14752; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX function call access"; flow:to_client,established; file_data; content:"LiveUpdate.UpdateEngine"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LiveUpdate\.UpdateEngine\x22|\x27LiveUpdate\.UpdateEngine\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ApplyPatch\s*|.*(?P=v)\s*\.\s*ApplyPatch\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveUpdate\.UpdateEngine\x22|\x27LiveUpdate\.UpdateEngine\x27)\s*\)(\s*\.\s*ApplyPatch\s*|.*(?P=n)\s*\.\s*ApplyPatch\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14750; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk DWF Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A662DA7E-CCB7-4743-B71A-D817F6D575DF\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SaveAs)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A662DA7E-CCB7-4743-B71A-D817F6D575DF\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveAs))\s*\(/Osi"; metadata:service http; reference:bugtraq,31487; reference:bugtraq,31490; reference:cve,2008-4471; reference:cve,2008-4472; classtype:attempted-user; sid:14746; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Hummingbird HostExplorer ActiveX clsid access"; flow:to_client,established; file_data; content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,31783; reference:cve,2008-4729; classtype:attempted-user; sid:14744; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft PicturePusher ActiveX function call access"; flow:to_client,established; file_data; content:"Microsoft.DIG.PicturePusherControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Microsoft\.DIG\.PicturePusherControl\x22|\x27Microsoft\.DIG\.PicturePusherControl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddString|Post)\s*|.*(?P=v)\s*\.\s*(AddString|Post)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Microsoft\.DIG\.PicturePusherControl\x22|\x27Microsoft\.DIG\.PicturePusherControl\x27)\s*\)(\s*\.\s*(AddString|Post)\s*|.*(?P=n)\s*\.\s*(AddString|Post)\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31632; reference:cve,2008-4493; classtype:attempted-user; sid:14639; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft PicturePusher ActiveX clsid access"; flow:to_client,established; file_data; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*507813C3-0B26-47AD-A8C0-D483C7A21FA7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddString|Post)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*507813C3-0B26-47AD-A8C0-D483C7A21FA7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddString|Post))\s*\(/Osi"; metadata:service http; reference:bugtraq,31632; reference:cve,2008-4493; classtype:attempted-user; sid:14637; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft RSClientPrint ActiveX clsid access"; flow:to_client,established; file_data; content:"FA91DF8D-53AB-455D-AB20-F2F023E498D3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA91DF8D-53AB-455D-AB20-F2F023E498D3\s*}?\s*(?P=q5)(\s|>)/Osi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5348; reference:cve,2008-3013; reference:cve,2008-3014; reference:cve,2008-3015; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-052; classtype:attempted-user; sid:14635; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PhotoStockPlus ActiveX clsid access"; flow:to_client,established; file_data; content:"E48BB416-C578-4A62-84C9-5E3389ABE5FC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E48BB416-C578-4A62-84C9-5E3389ABE5FC\s*}?\s*(?P=q3)(\s|>)/Osi"; metadata:service http; reference:bugtraq,29279; reference:cve,2008-0957; reference:url,support.microsoft.com/kb/956391; classtype:attempted-user; sid:14633; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access"; flow:to_client,established; file_data; content:"67A5F8DC-1A4B-4D66-9F24-A704AD929EEE"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?67A5F8DC-1A4B-4D66-9F24-A704AD929EEE/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,31752; reference:cve,2008-4385; reference:url,support.microsoft.com/kb/956391; reference:url,www.systemrequirementslab.com/bulletins/security_bulletin_1.html; classtype:attempted-user; sid:14631; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"VmCOM.VmCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VmCOM\.VmCtl\x22|\x27VmCOM\.VmCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GuestInfo\s*|.*(?P=v)\s*\.\s*GuestInfo\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmCOM\.VmCtl\x22|\x27VmCOM\.VmCtl\x27)\s*\)(\s*\.\s*GuestInfo\s*|.*(?P=n)\s*\.\s*GuestInfo\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14613; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveReport ARViewer2 ActiveX function call access"; flow:to_client,established; file_data; content:"DDActiveReportsViewer2.ARViewer2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DDActiveReportsViewer2\.ARViewer2\x22|\x27DDActiveReportsViewer2\.ARViewer2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*|.*(?P=v)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DDActiveReportsViewer2\.ARViewer2\x22|\x27DDActiveReportsViewer2\.ARViewer2\x27)\s*\)(\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*|.*(?P=n)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31227; reference:cve,2008-5089; classtype:attempted-user; sid:14605; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveReport ARViewer2 ActiveX clsid access"; flow:to_client,established; file_data; content:"8569D715-FF88-44BA-8D1D-AD3E59543DDE"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8569D715-FF88-44BA-8D1D-AD3E59543DDE\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8569D715-FF88-44BA-8D1D-AD3E59543DDE\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Pages.Save|PrintReport|Canvas.Save))\s*\(/Osi"; metadata:service http; reference:bugtraq,31227; reference:cve,2008-5089; classtype:attempted-user; sid:14603; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ComponentOne VSFlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"VSFlexGrid8.VSFlexGridADO"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VSFlexGrid8\.VSFlexGridADO\x22|\x27VSFlexGrid8\.VSFlexGridADO\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Archive\s*|.*(?P=v)\s*\.\s*Archive\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSFlexGrid8\.VSFlexGridADO\x22|\x27VSFlexGrid8\.VSFlexGridADO\x27)\s*\)(\s*\.\s*Archive\s*|.*(?P=n)\s*\.\s*Archive\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31200; reference:cve,2008-4132; classtype:attempted-user; sid:14598; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ComponentOne VSFlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"C945E31A-102E-4A0D-8854-D599D7AED5FA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C945E31A-102E-4A0D-8854-D599D7AED5FA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Archive)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C945E31A-102E-4A0D-8854-D599D7AED5FA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Archive))\s*\(/Osi"; metadata:service http; reference:bugtraq,31200; reference:cve,2008-4132; classtype:attempted-user; sid:14596; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Peachtree Accounting 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"2BCEAECE-6121-4E78-816C-8CD3121361B0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2BCEAECE-6121-4E78-816C-8CD3121361B0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ExecutePreferredApplication)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2BCEAECE-6121-4E78-816C-8CD3121361B0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ExecutePreferredApplication))\s*\(/si"; metadata:service http; reference:bugtraq,31096; reference:cve,2008-4699; classtype:attempted-user; sid:14594; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.DiskLibHelper ActiveX function call access"; flow:to_client,established; file_data; content:"VhdCvtCom.DiskLibHelper"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VhdCvtCom\.DiskLibHelper\x22|\x27VhdCvtCom\.DiskLibHelper\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.DiskLibHelper\x22|\x27VhdCvtCom\.DiskLibHelper\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14592; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.DiskLibHelper ActiveX clsid access"; flow:to_client,established; file_data; content:"FDE6485C-53E6-4E1F-BBFD-12D92384ECD2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDE6485C-53E6-4E1F-BBFD-12D92384ECD2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14590; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CurrentVMCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.CurrentVMCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.CurrentVMCtl\x22|\x27Vmappsdk\.CurrentVMCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.CurrentVMCtl\x22|\x27Vmappsdk\.CurrentVMCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14588; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CurrentVMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"fd99f74c-9d06-415e-8c60-a249d16f1d77"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fd99f74c-9d06-415e-8c60-a249d16f1d77\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14586; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 26 ActiveX clsid access"; flow:to_client,established; file_data; content:"fd1e7da6-fbda-49aa-9488-4a1fc2ec7826"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fd1e7da6-fbda-49aa-9488-4a1fc2ec7826\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14584; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 25 ActiveX clsid access"; flow:to_client,established; file_data; content:"fcac0ad0-ff50-4dba-8c79-f17102e15c02"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fcac0ad0-ff50-4dba-8c79-f17102e15c02\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14582; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMList Class ActiveX function call access"; flow:to_client,established; file_data; content:"VmdbCOM.VMList"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VmdbCOM\.VMList\x22|\x27VmdbCOM\.VMList\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VMList\x22|\x27VmdbCOM\.VMList\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14580; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMList Class ActiveX clsid access"; flow:to_client,established; file_data; content:"f76e4799-379b-4362-bcc4-68b753d10744"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f76e4799-379b-4362-bcc4-68b753d10744\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14578; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NavigationCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.NavigationCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.NavigationCtl\x22|\x27Vmappsdk\.NavigationCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.NavigationCtl\x22|\x27Vmappsdk\.NavigationCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14576; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NavigationCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"f665fa34-efa7-4dff-bee6-ad27fa396c2b"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f665fa34-efa7-4dff-bee6-ad27fa396c2b\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14574; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbParseError Class ActiveX function call access"; flow:to_client,established; file_data; content:"VmdbCOM.VmdbParseError"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VmdbCOM\.VmdbParseError\x22|\x27VmdbCOM\.VmdbParseError\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbParseError\x22|\x27VmdbCOM\.VmdbParseError\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14572; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbParseError Class ActiveX clsid access"; flow:to_client,established; file_data; content:"f1bee71f-bf84-4a3c-a967-f1c9d21c6100"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f1bee71f-bf84-4a3c-a967-f1c9d21c6100\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14570; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PolicyCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.PolicyCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.PolicyCtl\x22|\x27Vmappsdk\.PolicyCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.PolicyCtl\x22|\x27Vmappsdk\.PolicyCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14568; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PolicyCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"edc2cfe2-97c9-41c3-80e9-9bb55b5a1ade"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*edc2cfe2-97c9-41c3-80e9-9bb55b5a1ade\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14566; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 24 ActiveX clsid access"; flow:to_client,established; file_data; content:"edaf3a1f-942e-4062-89b0-5276060dff93"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*edaf3a1f-942e-4062-89b0-5276060dff93\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14564; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPropPath Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VmappPropPath"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VmappPropPath\x22|\x27Vmappsdk\.VmappPropPath\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VmappPropPath\x22|\x27Vmappsdk\.VmappPropPath\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14562; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPropPath Class ActiveX clsid access"; flow:to_client,established; file_data; content:"ec891881-be63-45cf-97c9-34615aa209c1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ec891881-be63-45cf-97c9-34615aa209c1\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14560; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MksCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.MksCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.MksCtl\x22|\x27vmappsdk\.MksCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.MksCtl\x22|\x27vmappsdk\.MksCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14558; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MksCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"ec24c86e-34dd-45f3-928d-ecb7c2b3afb4"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ec24c86e-34dd-45f3-928d-ecb7c2b3afb4\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14556; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCDrives ActiveX function call access"; flow:to_client,established; file_data; content:"Vmc2vmx.CoVPCDrives"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCDrives\x22|\x27Vmc2vmx\.CoVPCDrives\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCDrives\x22|\x27Vmc2vmx\.CoVPCDrives\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14554; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCDrives ActiveX clsid access"; flow:to_client,established; file_data; content:"EBA250D3-CEE2-4185-8563-1080F50BB733"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EBA250D3-CEE2-4185-8563-1080F50BB733\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14552; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Nwz Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmhwcfg.Nwz"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmhwcfg\.Nwz\x22|\x27vmhwcfg\.Nwz\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmhwcfg\.Nwz\x22|\x27vmhwcfg\.Nwz\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14550; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Nwz Class ActiveX clsid access"; flow:to_client,established; file_data; content:"eb80211b-ef44-463c-adab-b75ccd68c163"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*eb80211b-ef44-463c-adab-b75ccd68c163\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14548; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbTreeCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.vmdbTreeCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.vmdbTreeCtl\x22|\x27vmappsdk\.vmdbTreeCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.vmdbTreeCtl\x22|\x27vmappsdk\.vmdbTreeCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14546; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbTreeCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"e669547d-ae52-459f-9c07-cc5f17b4b16f"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e669547d-ae52-459f-9c07-cc5f17b4b16f\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14544; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 23 ActiveX clsid access"; flow:to_client,established; file_data; content:"e54b2aa7-52ab-431c-a1fa-3f807ee3578d"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e54b2aa7-52ab-431c-a1fa-3f807ee3578d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14542; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CheckedListViewWnd Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.CheckedListViewWnd"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.CheckedListViewWnd\x22|\x27Vmappsdk\.CheckedListViewWnd\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.CheckedListViewWnd\x22|\x27Vmappsdk\.CheckedListViewWnd\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14540; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CheckedListViewWnd Class ActiveX clsid access"; flow:to_client,established; file_data; content:"e3aa8d10-02e2-4615-b524-908a3b8716e9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e3aa8d10-02e2-4615-b524-908a3b8716e9\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14538; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMListCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VMListCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VMListCtl\x22|\x27Vmappsdk\.VMListCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMListCtl\x22|\x27Vmappsdk\.VMListCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14536; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMListCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"e2d82f32-b4b0-4763-80d6-87323173d571"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e2d82f32-b4b0-4763-80d6-87323173d571\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14534; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUpdates Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbUpdates"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbUpdates\x22|\x27vmdbCOM\.VmdbUpdates\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUpdates\x22|\x27vmdbCOM\.VmdbUpdates\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14532; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUpdates Class ActiveX clsid access"; flow:to_client,established; file_data; content:"dff44aec-2370-469d-8a22-df82448bff64"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dff44aec-2370-469d-8a22-df82448bff64\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14530; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HotfixWz Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappcfg.HotfixWz"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappcfg\.HotfixWz\x22|\x27vmappcfg\.HotfixWz\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappcfg\.HotfixWz\x22|\x27vmappcfg\.HotfixWz\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14528; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HotfixWz Class ActiveX clsid access"; flow:to_client,established; file_data; content:"dfef4b09-1b0a-4529-9775-ac437d6a93b3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dfef4b09-1b0a-4529-9775-ac437d6a93b3\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14526; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 22 ActiveX clsid access"; flow:to_client,established; file_data; content:"dfd8b167-5652-4962-a162-9a227825afaa"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dfd8b167-5652-4962-a162-9a227825afaa\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14524; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.VMXCreator ActiveX function call access"; flow:to_client,established; file_data; content:"Elevated.VMXCreator"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Elevated\.VMXCreator\x22|\x27Elevated\.VMXCreator\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.VMXCreator\x22|\x27Elevated\.VMXCreator\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14522; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.VMXCreator ActiveX clsid access"; flow:to_client,established; file_data; content:"DFC76A6B-4873-458C-AB00-40B1FC028001"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DFC76A6B-4873-458C-AB00-40B1FC028001\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14520; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 21 ActiveX clsid access"; flow:to_client,established; file_data; content:"deab0eb8-05d4-49b5-a9c6-31b031d26d99"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*deab0eb8-05d4-49b5-a9c6-31b031d26d99\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14518; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientVM Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VMClientVM"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VMClientVM\x22|\x27vmdbCOM\.VMClientVM\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientVM\x22|\x27vmdbCOM\.VMClientVM\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14516; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientVM Class ActiveX clsid access"; flow:to_client,established; file_data; content:"dd3705d3-53b0-4d2d-961e-64fc7495b8cd"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dd3705d3-53b0-4d2d-961e-64fc7495b8cd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14514; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 20 ActiveX clsid access"; flow:to_client,established; file_data; content:"da52e304-436f-420e-8cf4-9f785c2e5dc7"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*da52e304-436f-420e-8cf4-9f785c2e5dc7\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14512; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCDrive ActiveX function call access"; flow:to_client,established; file_data; content:"Vmc2vmx.CoVPCDrive"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCDrive\x22|\x27Vmc2vmx\.CoVPCDrive\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCDrive\x22|\x27Vmc2vmx\.CoVPCDrive\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14510; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCDrive ActiveX clsid access"; flow:to_client,established; file_data; content:"D9902D56-1F2A-47D6-89AA-08F49A40AE8C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9902D56-1F2A-47D6-89AA-08F49A40AE8C\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14508; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbCnxUtil Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbCnxUtil"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbCnxUtil\x22|\x27vmdbCOM\.VmdbCnxUtil\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbCnxUtil\x22|\x27vmdbCOM\.VmdbCnxUtil\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14506; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbCnxUtil Class ActiveX clsid access"; flow:to_client,established; file_data; content:"d6e9ab14-5437-4507-8f53-60ded2db142c"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d6e9ab14-5437-4507-8f53-60ded2db142c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14504; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMwareVpcCvt.VpcC ActiveX function call access"; flow:to_client,established; file_data; content:"VMwareVpcCvt.VpcC"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VMwareVpcCvt\.VpcC\x22|\x27VMwareVpcCvt\.VpcC\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VMwareVpcCvt\.VpcC\x22|\x27VMwareVpcCvt\.VpcC\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14502; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMwareVpcCvt.VpcC ActiveX clsid access"; flow:to_client,established; file_data; content:"D428A135-8494-41DE-A4B5-8BB1B632E8DC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D428A135-8494-41DE-A4B5-8BB1B632E8DC\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14500; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 19 ActiveX clsid access"; flow:to_client,established; file_data; content:"d344ef7e-e559-48b4-8b16-07950bf1f191"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d344ef7e-e559-48b4-8b16-07950bf1f191\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14498; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUtil Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbUtil"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbUtil\x22|\x27vmdbCOM\.VmdbUtil\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUtil\x22|\x27vmdbCOM\.VmdbUtil\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14496; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUtil Class ActiveX clsid access"; flow:to_client,established; file_data; content:"d1d1d84a-318e-4bce-9d4b-9d6664c99bd0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d1d1d84a-318e-4bce-9d4b-9d6664c99bd0\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14494; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 18 ActiveX clsid access"; flow:to_client,established; file_data; content:"d1084c98-79f2-461d-81b8-7888228e77cc"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d1084c98-79f2-461d-81b8-7888228e77cc\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14492; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMSwitchCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VMSwitchCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VMSwitchCtl\x22|\x27Vmappsdk\.VMSwitchCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMSwitchCtl\x22|\x27Vmappsdk\.VMSwitchCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14490; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMSwitchCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"ce55ac6b-d0fa-4be6-bc90-c318e7383cdd"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ce55ac6b-d0fa-4be6-bc90-c318e7383cdd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14488; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.VhdConverter ActiveX function call access"; flow:to_client,established; file_data; content:"VhdCvtCom.VhdConverter"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VhdCvtCom\.VhdConverter\x22|\x27VhdCvtCom\.VhdConverter\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.VhdConverter\x22|\x27VhdCvtCom\.VhdConverter\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14486; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.VhdConverter ActiveX clsid access"; flow:to_client,established; file_data; content:"C2FBF309-56F6-409E-B9D7-DBBC190AD51A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C2FBF309-56F6-409E-B9D7-DBBC190AD51A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14484; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPropFrame Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VmappPropFrame"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VmappPropFrame\x22|\x27Vmappsdk\.VmappPropFrame\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VmappPropFrame\x22|\x27Vmappsdk\.VmappPropFrame\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14482; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPropFrame Class ActiveX clsid access"; flow:to_client,established; file_data; content:"c0f98577-fc80-4d0a-86b2-6d4e045edf8e"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c0f98577-fc80-4d0a-86b2-6d4e045edf8e\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14480; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.GuestInfo ActiveX function call access"; flow:to_client,established; file_data; content:"reconfig.GuestInfo"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22reconfig\.GuestInfo\x22|\x27reconfig\.GuestInfo\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.GuestInfo\x22|\x27reconfig\.GuestInfo\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14478; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.GuestInfo ActiveX clsid access"; flow:to_client,established; file_data; content:"C0A9F3A2-C933-42E5-8ED4-FC7E9A55686F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A9F3A2-C933-42E5-8ED4-FC7E9A55686F\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14476; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 17 ActiveX clsid access"; flow:to_client,established; file_data; content:"bf337b95-a08a-43ba-b395-001bb11e51cd"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf337b95-a08a-43ba-b395-001bb11e51cd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14474; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 16 ActiveX clsid access"; flow:to_client,established; file_data; content:"bea48e3e-5990-4f52-ad0c-4fee8b00b3dd"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bea48e3e-5990-4f52-ad0c-4fee8b00b3dd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14472; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.HostDeviceInfos ActiveX function call access"; flow:to_client,established; file_data; content:"Elevated.HostDeviceInfos"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Elevated\.HostDeviceInfos\x22|\x27Elevated\.HostDeviceInfos\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.HostDeviceInfos\x22|\x27Elevated\.HostDeviceInfos\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14470; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.HostDeviceInfos ActiveX clsid access"; flow:to_client,established; file_data; content:"BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14468; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 15 ActiveX clsid access"; flow:to_client,established; file_data; content:"b39924ac-b164-4f0a-b2d8-f07295df710d"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*b39924ac-b164-4f0a-b2d8-f07295df710d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14466; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 14 ActiveX clsid access"; flow:to_client,established; file_data; content:"aeab0a1a-4bcd-4fc2-9c70-0e0ae3b40350"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*aeab0a1a-4bcd-4fc2-9c70-0e0ae3b40350\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14460; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MksCompatCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.MksCompatCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.MksCompatCtl\x22|\x27vmappsdk\.MksCompatCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.MksCompatCtl\x22|\x27vmappsdk\.MksCompatCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14458; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MksCompatCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"a170cd00-5ce4-46d0-b013-e804ffd1d929"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*a170cd00-5ce4-46d0-b013-e804ffd1d929\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14456; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmhwcfg.NwzCompleted ActiveX function call access"; flow:to_client,established; file_data; content:"vmhwcfg.NwzCompleted"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmhwcfg\.NwzCompleted\x22|\x27vmhwcfg\.NwzCompleted\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmhwcfg\.NwzCompleted\x22|\x27vmhwcfg\.NwzCompleted\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14454; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmhwcfg.NwzCompleted ActiveX clsid access"; flow:to_client,established; file_data; content:"9F625D90-A74B-4dd8-9847-9CFD6F928FEF"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9F625D90-A74B-4dd8-9847-9CFD6F928FEF\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14452; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.SystemReconfigur ActiveX function call access"; flow:to_client,established; file_data; content:"reconfig.SystemReconfigur"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22reconfig\.SystemReconfigur\x22|\x27reconfig\.SystemReconfigur\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.SystemReconfigur\x22|\x27reconfig\.SystemReconfigur\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14450; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.SystemReconfigur ActiveX clsid access"; flow:to_client,established; file_data; content:"9ED5A5B3-C8D4-4597-B082-487008D75E3F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9ED5A5B3-C8D4-4597-B082-487008D75E3F\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14448; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 13 ActiveX clsid access"; flow:to_client,established; file_data; content:"9ea0c310-9140-4735-90db-5babc57583f0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9ea0c310-9140-4735-90db-5babc57583f0\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14446; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 12 ActiveX clsid access"; flow:to_client,established; file_data; content:"9d253f85-f9b1-446e-9122-7ef3e260c3e4"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9d253f85-f9b1-446e-9122-7ef3e260c3e4\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14444; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 11 ActiveX clsid access"; flow:to_client,established; file_data; content:"99a1b3a3-0c4c-4e08-a1b1-84a6e6ff414d"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*99a1b3a3-0c4c-4e08-a1b1-84a6e6ff414d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14442; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 10 ActiveX clsid access"; flow:to_client,established; file_data; content:"96a05576-987f-4f6d-9102-8799e3ded07b"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*96a05576-987f-4f6d-9102-8799e3ded07b\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14440; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientHost Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VMClientHost"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VMClientHost\x22|\x27vmdbCOM\.VMClientHost\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientHost\x22|\x27vmdbCOM\.VMClientHost\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14438; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientHost Class ActiveX clsid access"; flow:to_client,established; file_data; content:"9663f7c7-44fb-4075-bc83-829b47db7936"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9663f7c7-44fb-4075-bc83-829b47db7936\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14436; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"93beec8b-783e-4f87-a1d7-61936f3805cf"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93beec8b-783e-4f87-a1d7-61936f3805cf\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14434; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMEnumStrings Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.VMEnumStrings"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.VMEnumStrings\x22|\x27vmappsdk\.VMEnumStrings\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VMEnumStrings\x22|\x27vmappsdk\.VMEnumStrings\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14432; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMEnumStrings Class ActiveX clsid access"; flow:to_client,established; file_data; content:"92d37a66-dc23-4244-8add-2e8bdcafa9b2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*92d37a66-dc23-4244-8add-2e8bdcafa9b2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14430; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 8 ActiveX clsid access"; flow:to_client,established; file_data; content:"8f2f3b54-43cc-4912-9b48-bd500a023d40"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8f2f3b54-43cc-4912-9b48-bd500a023d40\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14428; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMAppSdkUtil Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VMAppSdkUtil"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VMAppSdkUtil\x22|\x27Vmappsdk\.VMAppSdkUtil\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMAppSdkUtil\x22|\x27Vmappsdk\.VMAppSdkUtil\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14426; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMAppSdkUtil Class ActiveX clsid access"; flow:to_client,established; file_data; content:"85691355-a4fa-4e2b-b461-8145f90aa8dc"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*85691355-a4fa-4e2b-b461-8145f90aa8dc\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14424; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbDatabase Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbDatabase"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbDatabase\x22|\x27vmdbCOM\.VmdbDatabase\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbDatabase\x22|\x27vmdbCOM\.VmdbDatabase\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14422; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbDatabase Class ActiveX clsid access"; flow:to_client,established; file_data; content:"7edd4fce-e178-47f2-ae05-c5936c843795"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7edd4fce-e178-47f2-ae05-c5936c843795\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14420; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"75869575-07ba-4c7e-8f8f-980dfbc12abd"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*75869575-07ba-4c7e-8f8f-980dfbc12abd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14414; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbEnumTags Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbEnumTags"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbEnumTags\x22|\x27vmdbCOM\.VmdbEnumTags\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbEnumTags\x22|\x27vmdbCOM\.VmdbEnumTags\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14412; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbEnumTags Class ActiveX clsid access"; flow:to_client,established; file_data; content:"733a5dfa-084e-4ecf-af13-95b852358dd3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*733a5dfa-084e-4ecf-af13-95b852358dd3\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14410; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RegVmsCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.RegVmsCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.RegVmsCtl\x22|\x27Vmappsdk\.RegVmsCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RegVmsCtl\x22|\x27Vmappsdk\.RegVmsCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14408; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RegVmsCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"6bc34d15-ee92-46b3-8c6a-03de589ab727"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6bc34d15-ee92-46b3-8c6a-03de589ab727\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14406; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RemoteBrowseDlg Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.RemoteBrowseDlg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.RemoteBrowseDlg\x22|\x27Vmappsdk\.RemoteBrowseDlg\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RemoteBrowseDlg\x22|\x27Vmappsdk\.RemoteBrowseDlg\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14404; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RemoteBrowseDlg Class ActiveX clsid access"; flow:to_client,established; file_data; content:"6b681417-abe9-46ca-9615-8b96ec724d0c"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6b681417-abe9-46ca-9615-8b96ec724d0c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14402; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappsdk.CuiObj ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.CuiObj"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.CuiObj\x22|\x27vmappsdk\.CuiObj\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.CuiObj\x22|\x27vmappsdk\.CuiObj\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14400; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappsdk.CuiObj ActiveX clsid access"; flow:to_client,established; file_data; content:"68F1E07B-609F-4b87-9D57-A879023A75FC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68F1E07B-609F-4b87-9D57-A879023A75FC\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14398; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VixCOM.VixLib ActiveX function call access"; flow:to_client,established; file_data; content:"VixCOM.VixLib"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VixCOM\.VixLib\x22|\x27VixCOM\.VixLib\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VixCOM\.VixLib\x22|\x27VixCOM\.VixLib\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14396; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VixCOM.VixLib ActiveX clsid access"; flow:to_client,established; file_data; content:"6874E949-7186-4308-A1B9-D55A91F60728"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6874E949-7186-4308-A1B9-D55A91F60728\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14394; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbSchema Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbSchema"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbSchema\x22|\x27vmdbCOM\.VmdbSchema\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbSchema\x22|\x27vmdbCOM\.VmdbSchema\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14388; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbSchema Class ActiveX clsid access"; flow:to_client,established; file_data; content:"5a8cce1b-1845-4a4b-9b89-c5a97d2acae2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5a8cce1b-1845-4a4b-9b89-c5a97d2acae2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14386; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Pq2vcom.Pq2v ActiveX function call access"; flow:to_client,established; file_data; content:"Pq2vcom.Pq2v"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Pq2vcom\.Pq2v\x22|\x27Pq2vcom\.Pq2v\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Pq2vcom\.Pq2v\x22|\x27Pq2vcom\.Pq2v\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14384; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Pq2vcom.Pq2v ActiveX clsid access"; flow:to_client,established; file_data; content:"5647DAF6-85BE-4173-88E7-749322B243BE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5647DAF6-85BE-4173-88E7-749322B243BE\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14382; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClient Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VMClient"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VMClient\x22|\x27vmdbCOM\.VMClient\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClient\x22|\x27vmdbCOM\.VMClient\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14380; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClient Class ActiveX clsid access"; flow:to_client,established; file_data; content:"4cc34b9f-1536-4330-adfb-b0a68ce3d856"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4cc34b9f-1536-4330-adfb-b0a68ce3d856\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14378; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPoll Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.vmappPoll"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.vmappPoll\x22|\x27vmdbCOM\.vmappPoll\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.vmappPoll\x22|\x27vmdbCOM\.vmappPoll\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14376; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmappPoll Class ActiveX clsid access"; flow:to_client,established; file_data; content:"48e72e42-2d79-4d94-99f6-c859f3a46d42"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*48e72e42-2d79-4d94-99f6-c859f3a46d42\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14374; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappPropObj2 Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.VmappPropObj2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.VmappPropObj2\x22|\x27vmappsdk\.VmappPropObj2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VmappPropObj2\x22|\x27vmappsdk\.VmappPropObj2\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14372; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappPropObj2 Class ActiveX clsid access"; flow:to_client,established; file_data; content:"48a70f00-ae14-46ce-ac17-d2290d504b37"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*48a70f00-ae14-46ce-ac17-d2290d504b37\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14370; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbQuery Class ActiveX function call access"; flow:to_client,established; file_data; content:"VmdbCOM.VmdbQuery"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VmdbCOM\.VmdbQuery\x22|\x27VmdbCOM\.VmdbQuery\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbQuery\x22|\x27VmdbCOM\.VmdbQuery\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14368; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbQuery Class ActiveX clsid access"; flow:to_client,established; file_data; content:"477ca8b0-4c2a-40c9-a440-28acb95cfad8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*477ca8b0-4c2a-40c9-a440-28acb95cfad8\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14366; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"47266690-b412-4a6c-a072-2e97ce86a0b6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47266690-b412-4a6c-a072-2e97ce86a0b6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14364; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HardwareCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.HardwareCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.HardwareCtl\x22|\x27Vmappsdk\.HardwareCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.HardwareCtl\x22|\x27Vmappsdk\.HardwareCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14362; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HardwareCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"44d188a8-f3c4-49fe-96eb-a416259d7c4a"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44d188a8-f3c4-49fe-96eb-a416259d7c4a\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14360; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"4249304b-198d-4b81-8250-29445ed99c2f"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4249304b-198d-4b81-8250-29445ed99c2f\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14358; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.ElevMgr ActiveX function call access"; flow:to_client,established; file_data; content:"Elevated.ElevMgr"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Elevated\.ElevMgr\x22|\x27Elevated\.ElevMgr\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.ElevMgr\x22|\x27Elevated\.ElevMgr\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14356; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elevated.ElevMgr ActiveX clsid access"; flow:to_client,established; file_data; content:"420F0000-71EB-4757-B979-418F039FC1F9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*420F0000-71EB-4757-B979-418F039FC1F9\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14354; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.PopulatedDi ActiveX function call access"; flow:to_client,established; file_data; content:"reconfig.PopulatedDi"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22reconfig\.PopulatedDi\x22|\x27reconfig\.PopulatedDi\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.PopulatedDi\x22|\x27reconfig\.PopulatedDi\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14352; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.PopulatedDi ActiveX clsid access"; flow:to_client,established; file_data; content:"41DF0779-3632-4790-B40F-C44CFCF55CB6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41DF0779-3632-4790-B40F-C44CFCF55CB6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14350; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"3ddf644a-0e1a-4543-9595-4b917707a9a7"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3ddf644a-0e1a-4543-9595-4b917707a9a7\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14348; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMMsg Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VMMsg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VMMsg\x22|\x27Vmappsdk\.VMMsg\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMMsg\x22|\x27Vmappsdk\.VMMsg\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14346; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMMsg Class ActiveX clsid access"; flow:to_client,established; file_data; content:"3d41639a-88cc-43d2-b6cb-2ce98a24509d"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3d41639a-88cc-43d2-b6cb-2ce98a24509d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14344; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"3cdeda3a-114b-455e-8c8b-224db4bf29c2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3cdeda3a-114b-455e-8c8b-224db4bf29c2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14342; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappPropObj Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmappsdk.VmappPropObj"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmappsdk\.VmappPropObj\x22|\x27vmappsdk\.VmappPropObj\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VmappPropObj\x22|\x27vmappsdk\.VmappPropObj\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14340; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS vmappPropObj Class ActiveX clsid access"; flow:to_client,established; file_data; content:"37592010-a488-45dd-bf6d-00cc1b6fc0ce"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37592010-a488-45dd-bf6d-00cc1b6fc0ce\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14338; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientVMs Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VMClientVMs"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VMClientVMs\x22|\x27vmdbCOM\.VMClientVMs\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientVMs\x22|\x27vmdbCOM\.VMClientVMs\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14336; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientVMs Class ActiveX clsid access"; flow:to_client,established; file_data; content:"315cb05d-691f-4208-af14-0fa2fbb2cad6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*315cb05d-691f-4208-af14-0fa2fbb2cad6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14334; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbContext Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbContext"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbContext\x22|\x27vmdbCOM\.VmdbContext\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbContext\x22|\x27vmdbCOM\.VmdbContext\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14332; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbContext Class ActiveX clsid access"; flow:to_client,established; file_data; content:"2e1c00eb-6468-40ae-94b3-2c8d80080f21"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2e1c00eb-6468-40ae-94b3-2c8d80080f21\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14330; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Database Tools Query Designer V7.0 ActiveX function call access"; flow:to_client,established; file_data; content:"MSVDTQueryDesigne"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MSVDTQueryDesigne\x22|\x27MSVDTQueryDesigne\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSVDTQueryDesigne\x22|\x27MSVDTQueryDesigne\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14328; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Database Tools Query Designer V7.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"2c10a98f-d64f-43b4-bed6-dd0e1bf2074c"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2c10a98f-d64f-43b4-bed6-dd0e1bf2074c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14326; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.SysImageUti ActiveX function call access"; flow:to_client,established; file_data; content:"reconfig.SysImageUti"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22reconfig\.SysImageUti\x22|\x27reconfig\.SysImageUti\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.SysImageUti\x22|\x27reconfig\.SysImageUti\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14324; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS reconfig.SysImageUti ActiveX clsid access"; flow:to_client,established; file_data; content:"27602AF3-CEFF-4962-BE29-6FB66BCB9297"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*27602AF3-CEFF-4962-BE29-6FB66BCB9297\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14322; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"271DC252-6FE1-4D59-9053-E4CF50AB99DE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*271DC252-6FE1-4D59-9053-E4CF50AB99DE\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14320; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbExecuteError Class ActiveX function call access"; flow:to_client,established; file_data; content:"VmdbCOM.VmdbExecuteError"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VmdbCOM\.VmdbExecuteError\x22|\x27VmdbCOM\.VmdbExecuteError\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbExecuteError\x22|\x27VmdbCOM\.VmdbExecuteError\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14318; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbExecuteError Class ActiveX clsid access"; flow:to_client,established; file_data; content:"22ff5311-53a4-4335-a2d9-b75e5731bbab"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22ff5311-53a4-4335-a2d9-b75e5731bbab\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14316; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare unspecified 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"1dd25558-dda3-476a-a81c-a07b62f33725"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1dd25558-dda3-476a-a81c-a07b62f33725\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14314; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUpdate Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VmdbUpdate"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VmdbUpdate\x22|\x27vmdbCOM\.VmdbUpdate\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUpdate\x22|\x27vmdbCOM\.VmdbUpdate\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14312; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VmdbUpdate Class ActiveX clsid access"; flow:to_client,established; file_data; content:"1c4387ae-2b23-4c45-8bc6-c1dfbddfb249"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1c4387ae-2b23-4c45-8bc6-c1dfbddfb249\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14310; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCConfiguration ActiveX function call access"; flow:to_client,established; file_data; content:"Vmc2vmx.CoVPCConfiguration"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCConfiguration\x22|\x27Vmc2vmx\.CoVPCConfiguration\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCConfiguration\x22|\x27Vmc2vmx\.CoVPCConfiguration\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14308; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vmc2vmx.CoVPCConfiguration ActiveX clsid access"; flow:to_client,established; file_data; content:"17376C4D-A75F-4535-82EB-FF80EE02E405"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17376C4D-A75F-4535-82EB-FF80EE02E405\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14306; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMStatusbarCtl Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.VMStatusbarCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.VMStatusbarCtl\x22|\x27Vmappsdk\.VMStatusbarCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMStatusbarCtl\x22|\x27Vmappsdk\.VMStatusbarCtl\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14304; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMStatusbarCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"164bdf7b-5c67-4daf-85a3-c6c927cb3d36"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*164bdf7b-5c67-4daf-85a3-c6c927cb3d36\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14302; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TeamListViewWnd Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.TeamListViewWnd"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.TeamListViewWnd\x22|\x27Vmappsdk\.TeamListViewWnd\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.TeamListViewWnd\x22|\x27Vmappsdk\.TeamListViewWnd\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14300; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TeamListViewWnd Class ActiveX clsid access"; flow:to_client,established; file_data; content:"13E86A0C-FE7D-4573-A41D-6B5B00CCFE22"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*13E86A0C-FE7D-4573-A41D-6B5B00CCFE22\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14298; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RemoteDirDlg Class ActiveX function call access"; flow:to_client,established; file_data; content:"Vmappsdk.RemoteDirDlg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vmappsdk\.RemoteDirDlg\x22|\x27Vmappsdk\.RemoteDirDlg\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RemoteDirDlg\x22|\x27Vmappsdk\.RemoteDirDlg\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14296; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RemoteDirDlg Class ActiveX clsid access"; flow:to_client,established; file_data; content:"0ce412d9-4520-4e5a-893d-88b3a8f29c97"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ce412d9-4520-4e5a-893d-88b3a8f29c97\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14294; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.DiskLibCreateParamObj ActiveX function call access"; flow:to_client,established; file_data; content:"VhdCvtCom.DiskLibCreateParamObj"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VhdCvtCom\.DiskLibCreateParamObj\x22|\x27VhdCvtCom\.DiskLibCreateParamObj\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.DiskLibCreateParamObj\x22|\x27VhdCvtCom\.DiskLibCreateParamObj\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14292; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VhdCvtCom.DiskLibCreateParamObj ActiveX clsid access"; flow:to_client,established; file_data; content:"095DB814-94A0-4AD7-88C3-7DFBE688B12A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*095DB814-94A0-4AD7-88C3-7DFBE688B12A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14290; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientHosts Class ActiveX function call access"; flow:to_client,established; file_data; content:"vmdbCOM.VMClientHosts"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22vmdbCOM\.VMClientHosts\x22|\x27vmdbCOM\.VMClientHosts\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientHosts\x22|\x27vmdbCOM\.VMClientHosts\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14288; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMClientHosts Class ActiveX clsid access"; flow:to_client,established; file_data; content:"07051fd9-3e4e-4f79-b1ac-0a2f9338f806"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*07051fd9-3e4e-4f79-b1ac-0a2f9338f806\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14286; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IntraProcessLogging.Logger ActiveX function call access"; flow:to_client,established; file_data; content:"IntraProcessLogging.Logger"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14284; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IntraProcessLogging.Logger ActiveX clsid access"; flow:to_client,established; file_data; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14282; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VieLib2.Vie2Process ActiveX function call access"; flow:to_client,established; file_data; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14280; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VieLib2.Vie2Process ActiveX clsid access"; flow:to_client,established; file_data; content:"7B9C5422-39AA-4c21-BEEF-645E42EB4529"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4c21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14278; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vie2Lib.Vie2LinuxVolume ActiveX function call access"; flow:to_client,established; file_data; content:"Vie2Lib.Vie2LinuxVolume"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14276; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vie2Lib.Vie2LinuxVolume ActiveX clsid access"; flow:to_client,established; file_data; content:"1AF378DE-4574-4bb0-A5DF-F78FCAD28707"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1AF378DE-4574-4bb0-A5DF-F78FCAD28707\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14274; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VieLib2.Vie2Locator ActiveX function call access"; flow:to_client,established; file_data; content:"VieLib2.Vie2Locator"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VieLib2\.Vie2Locator\x22|\x27VieLib2\.Vie2Locator\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Locator\x22|\x27VieLib2\.Vie2Locator\x27)\s*\)/Osmi"; metadata:service http; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14272; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VieLib2.Vie2Locator ActiveX clsid access"; flow:to_client,established; file_data; content:"0F748FDE-0597-443c-8596-71854C5EA20A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F748FDE-0597-443c-8596-71854C5EA20A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:service http; reference:bugtraq,30934; reference:cve,2007-4155; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14270; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Image Acquisition Logger ActiveX function call access"; flow:to_client,established; file_data; content:"WiaLog"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22WiaLog\x22|\x27WiaLog\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Save\s*|.*(?P=v)\s*\.\s*Save\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WiaLog\x22|\x27WiaLog\x27)\s*\)(\s*\.\s*Save\s*|.*(?P=n)\s*\.\s*Save\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14268; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Image Acquisition Logger ActiveX clsid access"; flow:to_client,established; file_data; content:"A1E75357-881A-419E-83E2-BB16DB197C68"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Save)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Save))\s*\(/Osi"; metadata:service http; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14266; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?WMEnc\.WMEncProfileManager/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31065; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Eyeball MessengerSDK ActiveX function call access"; flow:to_client,established; file_data; content:"EyeballSdk.VideoWindowCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EyeballSdk\.VideoWindowCtl\x22|\x27EyeballSdk\.VideoWindowCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BgColor\s*|.*(?P=v)\s*\.\s*BgColor\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EyeballSdk\.VideoWindowCtl\x22|\x27EyeballSdk\.VideoWindowCtl\x27)\s*\)(\s*\.\s*BgColor\s*|.*(?P=n)\s*\.\s*BgColor\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,30424; reference:cve,2008-3430; classtype:attempted-user; sid:14249; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Eyeball MessengerSDK ActiveX clsid access"; flow:to_client,established; file_data; content:"CA06EE71-7348-44C4-9540-AAF0E6BD1515"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA06EE71-7348-44C4-9540-AAF0E6BD1515\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BgColor)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA06EE71-7348-44C4-9540-AAF0E6BD1515\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(BgColor))\s*\(/si"; metadata:service http; reference:bugtraq,30424; reference:cve,2008-3430; classtype:attempted-user; sid:14247; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Najdi.si Toolbar ActiveX function call access"; flow:to_client,established; file_data; content:"Interseek.IEToolbar"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Interseek\.IEToolbar\x22|\x27Interseek\.IEToolbar\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Location\s*|.*(?P=v)\s*\.\s*Location\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Interseek\.IEToolbar\x22|\x27Interseek\.IEToolbar\x27)\s*\)(\s*\.\s*Location\s*|.*(?P=n)\s*\.\s*Location)\s*=/smi"; metadata:service http; reference:bugtraq,30922; reference:cve,2008-7103; classtype:attempted-user; sid:14245; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Najdi.si Toolbar ActiveX clsid access"; flow:to_client,established; file_data; content:"442599A9-EB41-4F1F-B999-737BC587F314"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*442599A9-EB41-4F1F-B999-737BC587F314\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Location)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*442599A9-EB41-4F1F-B999-737BC587F314\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Location))\s*=/si"; metadata:service http; reference:bugtraq,30922; reference:cve,2008-7103; classtype:attempted-user; sid:14243; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Friendly Technologies fwRemoteConfig ActiveX function call access"; flow:to_client,established; file_data; content:"FwRemoteCfg.RemoteCfg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22FwRemoteCfg\.RemoteCfg\x22|\x27FwRemoteCfg\.RemoteCfg\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(RunApp|CreateURLShortcut)\s*|.*(?P=v)\s*\.\s*(RunApp|CreateURLShortcut)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FwRemoteCfg\.RemoteCfg\x22|\x27FwRemoteCfg\.RemoteCfg\x27)\s*\)(\s*\.\s*(RunApp|CreateURLShortcut)\s*|.*(?P=n)\s*\.\s*(RunApp|CreateURLShortcut)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,30889; reference:bugtraq,30891; reference:cve,2008-4048; reference:cve,2008-4049; classtype:attempted-user; sid:14241; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Friendly Technologies fwRemoteConfig ActiveX clsid access"; flow:to_client,established; file_data; content:"F4A06697-C0E7-4BB6-8C3B-E01016A4408B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A06697-C0E7-4BB6-8C3B-E01016A4408B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RunApp|CreateURLShortcut)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A06697-C0E7-4BB6-8C3B-E01016A4408B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(RunApp|CreateURLShortcut))\s*\(/si"; metadata:service http; reference:bugtraq,30889; reference:bugtraq,30891; reference:cve,2008-4048; reference:cve,2008-4049; classtype:attempted-user; sid:14239; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Services ActiveX function call access"; flow:to_client,established; file_data; content:"NSIEMisc.NSIEMisc"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NSIEMisc\.NSIEMisc\x22|\x27NSIEMisc\.NSIEMisc\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CallHTMLHelp\s*|.*(?P=v)\s*\.\s*CallHTMLHelp\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NSIEMisc\.NSIEMisc\x22|\x27NSIEMisc\.NSIEMisc\x27)\s*\)(\s*\.\s*CallHTMLHelp\s*|.*(?P=n)\s*\.\s*CallHTMLHelp\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,30814; reference:cve,2008-5232; classtype:attempted-user; sid:14237; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Services CallHTMLHelp ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; fast_pattern:only; content:"CallHTMLHelp"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,support.microsoft.com/kb/240797; classtype:attempted-user; sid:14235; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SoftArtisans XFile FileManager ActiveX function call access"; flow:to_client,established; file_data; content:"SoftArtisans.FileManager"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SoftArtisans\.FileManager\x22|\x27SoftArtisans\.FileManager\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*|.*(?P=v)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SoftArtisans\.FileManager\x22|\x27SoftArtisans\.FileManager\x27)\s*\)(\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*|.*(?P=n)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:14233; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SoftArtisans XFile FileManager ActiveX clsid access"; flow:to_client,established; file_data; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(BuildPath|GetDriveName|DriveExists|DeleteFile))\s*\(/si"; metadata:service http; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:14231; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 71 ActiveX clsid access"; flow:to_client,established; file_data; content:"CC7DA087-B7F4-4829-B038-DA01DFB5D879"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CC7DA087-B7F4-4829-B038-DA01DFB5D879\s*}?\s*(?P=q137)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14228; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 70 ActiveX clsid access"; flow:to_client,established; file_data; content:"E4C97925-C194-4551-8831-EABBD0280885"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E4C97925-C194-4551-8831-EABBD0280885\s*}?\s*(?P=q135)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14226; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 69 ActiveX clsid access"; flow:to_client,established; file_data; content:"A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98\s*}?\s*(?P=q131)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14224; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 68 ActiveX clsid access"; flow:to_client,established; file_data; content:"E1A26BBF-26C0-401d-B82B-5C4CC67457E0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E1A26BBF-26C0-401d-B82B-5C4CC67457E0\s*}?\s*(?P=q129)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14222; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 67 ActiveX clsid access"; flow:to_client,established; file_data; content:"6C095616-6064-43ca-9180-CF1B6B6A0BE4"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6C095616-6064-43ca-9180-CF1B6B6A0BE4\s*}?\s*(?P=q127)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14220; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 66 ActiveX clsid access"; flow:to_client,established; file_data; content:"9275A865-754B-4EDF-B828-FED0F8D344FC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9275A865-754B-4EDF-B828-FED0F8D344FC\s*}?\s*(?P=q125)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14218; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 65 ActiveX clsid access"; flow:to_client,established; file_data; content:"652623DC-2BB4-4C1C-ADFB-57A218F1A5EE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*652623DC-2BB4-4C1C-ADFB-57A218F1A5EE\s*}?\s*(?P=q123)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14216; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 64 ActiveX clsid access"; flow:to_client,established; file_data; content:"038F6F55-C9F0-4601-8740-98EF1CA9DF9A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*038F6F55-C9F0-4601-8740-98EF1CA9DF9A\s*}?\s*(?P=q121)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14214; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 63 ActiveX clsid access"; flow:to_client,established; file_data; content:"F6A7FF1B-9951-4CBE-B197-EA554D6DF40D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6A7FF1B-9951-4CBE-B197-EA554D6DF40D\s*}?\s*(?P=q119)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14212; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 62 ActiveX clsid access"; flow:to_client,established; file_data; content:"692898BE-C7CC-4CB3-A45C-66508B7E2C33"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*692898BE-C7CC-4CB3-A45C-66508B7E2C33\s*}?\s*(?P=q117)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14210; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 61 ActiveX clsid access"; flow:to_client,established; file_data; content:"974E1D88-BADF-4C80-8594-A59039C992EA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*974E1D88-BADF-4C80-8594-A59039C992EA\s*}?\s*(?P=q115)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14208; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 60 ActiveX clsid access"; flow:to_client,established; file_data; content:"4614C49A-0B7D-4E0D-A877-38CCCFE7D589"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4614C49A-0B7D-4E0D-A877-38CCCFE7D589\s*}?\s*(?P=q113)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14206; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 59 ActiveX clsid access"; flow:to_client,established; file_data; content:"AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B\s*}?\s*(?P=q109)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14204; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 58 ActiveX clsid access"; flow:to_client,established; file_data; content:"285CAE3C-F16A-4A84-9A80-FF23D6E56D68"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*285CAE3C-F16A-4A84-9A80-FF23D6E56D68\s*}?\s*(?P=q107)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14202; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 57 ActiveX clsid access"; flow:to_client,established; file_data; content:"833E62AD-1655-499F-908E-62DCA1EB2EC6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*833E62AD-1655-499F-908E-62DCA1EB2EC6\s*}?\s*(?P=q105)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14200; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 56 ActiveX clsid access"; flow:to_client,established; file_data; content:"93C5524B-97AE-491E-8EB7-2A3AD964F926"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93C5524B-97AE-491E-8EB7-2A3AD964F926\s*}?\s*(?P=q103)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14198; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 55 ActiveX clsid access"; flow:to_client,established; file_data; content:"73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A\s*}?\s*(?P=q101)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14196; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 54 ActiveX clsid access"; flow:to_client,established; file_data; content:"A3796166-A03C-418A-AF3A-060115D4E478"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A3796166-A03C-418A-AF3A-060115D4E478\s*}?\s*(?P=q99)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14194; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 53 ActiveX clsid access"; flow:to_client,established; file_data; content:"E6127E3B-8D17-4BEA-A039-8BB9D0D105A2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6127E3B-8D17-4BEA-A039-8BB9D0D105A2\s*}?\s*(?P=q97)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14192; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 52 ActiveX clsid access"; flow:to_client,established; file_data; content:"8C7A23D9-2A9B-4AEA-BA91-3003A316B44D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8C7A23D9-2A9B-4AEA-BA91-3003A316B44D\s*}?\s*(?P=q95)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14190; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 51 ActiveX clsid access"; flow:to_client,established; file_data; content:"F399F5B6-3C63-4674-B0FF-E94328B1947D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F399F5B6-3C63-4674-B0FF-E94328B1947D\s*}?\s*(?P=q93)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14188; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 50 ActiveX clsid access"; flow:to_client,established; file_data; content:"0B9C0C26-728C-4FDA-B8DD-59806E20E4D9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B9C0C26-728C-4FDA-B8DD-59806E20E4D9\s*}?\s*(?P=q91)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14186; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 49 ActiveX clsid access"; flow:to_client,established; file_data; content:"7A12547F-B772-4F2D-BE36-CE5D0FA886A1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7A12547F-B772-4F2D-BE36-CE5D0FA886A1\s*}?\s*(?P=q87)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14184; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 48 ActiveX clsid access"; flow:to_client,established; file_data; content:"497EE41C-CE06-4DD4-8308-6C730713C646"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*497EE41C-CE06-4DD4-8308-6C730713C646\s*}?\s*(?P=q85)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14182; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 47 ActiveX clsid access"; flow:to_client,established; file_data; content:"00D46195-B634-4C41-B53B-5093527FB791"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00D46195-B634-4C41-B53B-5093527FB791\s*}?\s*(?P=q83)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14180; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 46 ActiveX clsid access"; flow:to_client,established; file_data; content:"66E07EF9-4E89-4284-9632-6D6904B77732"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66E07EF9-4E89-4284-9632-6D6904B77732\s*}?\s*(?P=q81)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14178; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 45 ActiveX clsid access"; flow:to_client,established; file_data; content:"2875E7A5-EE3C-4FE7-A23E-DE0529D12028"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2875E7A5-EE3C-4FE7-A23E-DE0529D12028\s*}?\s*(?P=q79)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14176; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 44 ActiveX clsid access"; flow:to_client,established; file_data; content:"C86EE68A-9C77-4441-BD35-14CC6CC4A189"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C86EE68A-9C77-4441-BD35-14CC6CC4A189\s*}?\s*(?P=q77)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14174; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 43 ActiveX clsid access"; flow:to_client,established; file_data; content:"6981B978-70D9-40B9-B00E-903B6FC8CA8A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6981B978-70D9-40B9-B00E-903B6FC8CA8A\s*}?\s*(?P=q75)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14172; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 42 ActiveX clsid access"; flow:to_client,established; file_data; content:"A233E654-53FF-43AA-B1E2-60DA2E89A1EC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A233E654-53FF-43AA-B1E2-60DA2E89A1EC\s*}?\s*(?P=q73)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14170; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 41 ActiveX clsid access"; flow:to_client,established; file_data; content:"CB05A177-1069-4A7A-AB0A-5E6E00DCDB76"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CB05A177-1069-4A7A-AB0A-5E6E00DCDB76\s*}?\s*(?P=q71)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14168; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 40 ActiveX clsid access"; flow:to_client,established; file_data; content:"B95B52E9-B839-4412-96EB-4DABAB2E4E24"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B95B52E9-B839-4412-96EB-4DABAB2E4E24\s*}?\s*(?P=q69)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14166; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 39 ActiveX clsid access"; flow:to_client,established; file_data; content:"926618A9-4035-4CD6-8240-64C58EB37B07"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*926618A9-4035-4CD6-8240-64C58EB37B07\s*}?\s*(?P=q65)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14164; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 38 ActiveX clsid access"; flow:to_client,established; file_data; content:"B26E6120-DD35-4BEA-B1E3-E75F546EBF2A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B26E6120-DD35-4BEA-B1E3-E75F546EBF2A\s*}?\s*(?P=q63)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14162; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 37 ActiveX clsid access"; flow:to_client,established; file_data; content:"47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB\s*}?\s*(?P=q61)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14160; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 36 ActiveX clsid access"; flow:to_client,established; file_data; content:"947F2947-2296-42FE-92E6-E2E03519B895"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*947F2947-2296-42FE-92E6-E2E03519B895\s*}?\s*(?P=q59)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14158; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 35 ActiveX clsid access"; flow:to_client,established; file_data; content:"3D6A1A85-DE54-4768-9951-053B3B02B9B0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3D6A1A85-DE54-4768-9951-053B3B02B9B0\s*}?\s*(?P=q57)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14156; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 34 ActiveX clsid access"; flow:to_client,established; file_data; content:"B0A08D67-9464-4E73-A549-2CC208AC60D3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B0A08D67-9464-4E73-A549-2CC208AC60D3\s*}?\s*(?P=q55)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14154; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 33 ActiveX clsid access"; flow:to_client,established; file_data; content:"A7866636-ED52-4722-82A9-6BAABEFDBF96"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A7866636-ED52-4722-82A9-6BAABEFDBF96\s*}?\s*(?P=q53)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14152; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 32 ActiveX clsid access"; flow:to_client,established; file_data; content:"6CA73E8B-B584-4533-A405-3D6F9C012B56"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6CA73E8B-B584-4533-A405-3D6F9C012B56\s*}?\s*(?P=q51)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14150; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 30 ActiveX clsid access"; flow:to_client,established; file_data; content:"8DBC7A04-B478-41D5-BE05-5545D565B59C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8DBC7A04-B478-41D5-BE05-5545D565B59C\s*}?\s*(?P=q47)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14146; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 29 ActiveX clsid access"; flow:to_client,established; file_data; content:"68BBCA71-E1F6-47B2-87D3-369E1349D990"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68BBCA71-E1F6-47B2-87D3-369E1349D990\s*}?\s*(?P=q43)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14144; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 28 ActiveX clsid access"; flow:to_client,established; file_data; content:"8CC18E3F-4E2B-4D27-840E-CB2F99A3A003"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CC18E3F-4E2B-4D27-840E-CB2F99A3A003\s*}?\s*(?P=q41)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14142; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 27 ActiveX clsid access"; flow:to_client,established; file_data; content:"86C2B477-5382-4A09-8CA3-E63B1158A377"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*86C2B477-5382-4A09-8CA3-E63B1158A377\s*}?\s*(?P=q39)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14140; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 26 ActiveX clsid access"; flow:to_client,established; file_data; content:"FC28B75F-F9F6-4C92-AF91-14A3A51C49FB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC28B75F-F9F6-4C92-AF91-14A3A51C49FB\s*}?\s*(?P=q37)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14138; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 25 ActiveX clsid access"; flow:to_client,established; file_data; content:"0270E604-387F-48ED-BB6D-AA51F51D6FC3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0270E604-387F-48ED-BB6D-AA51F51D6FC3\s*}?\s*(?P=q35)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14136; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 24 ActiveX clsid access"; flow:to_client,established; file_data; content:"2C2DE2E6-2AD1-4301-A6A7-DF364858EF01"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2C2DE2E6-2AD1-4301-A6A7-DF364858EF01\s*}?\s*(?P=q33)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14134; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 23 ActiveX clsid access"; flow:to_client,established; file_data; content:"B85537E9-2D9C-400A-BC92-B04F4D9FF17D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B85537E9-2D9C-400A-BC92-B04F4D9FF17D\s*}?\s*(?P=q31)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14132; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 22 ActiveX clsid access"; flow:to_client,established; file_data; content:"1E0D3332-7441-44FF-A225-AF48E977D8B6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1E0D3332-7441-44FF-A225-AF48E977D8B6\s*}?\s*(?P=q29)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14130; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 21 ActiveX clsid access"; flow:to_client,established; file_data; content:"977315A5-C0DB-4EFD-89C2-10AA86CA39A5"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*977315A5-C0DB-4EFD-89C2-10AA86CA39A5\s*}?\s*(?P=q27)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14128; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 20 ActiveX clsid access"; flow:to_client,established; file_data; content:"05CDEE1D-D109-4992-B72B-6D4F5E2AB731"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*05CDEE1D-D109-4992-B72B-6D4F5E2AB731\s*}?\s*(?P=q25)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14126; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 19 ActiveX clsid access"; flow:to_client,established; file_data; content:"9BAFC7B3-F318-4BD4-BABB-6E403272615A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9BAFC7B3-F318-4BD4-BABB-6E403272615A\s*}?\s*(?P=q21)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14124; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 18 ActiveX clsid access"; flow:to_client,established; file_data; content:"7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3\s*}?\s*(?P=q19)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14122; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 17 ActiveX clsid access"; flow:to_client,established; file_data; content:"65FB3073-CA8E-42A1-9A9A-2F826D05A843"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*65FB3073-CA8E-42A1-9A9A-2F826D05A843\s*}?\s*(?P=q17)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14120; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 16 ActiveX clsid access"; flow:to_client,established; file_data; content:"3604EC19-E009-4DCB-ABC5-BB95BF92FD8B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3604EC19-E009-4DCB-ABC5-BB95BF92FD8B\s*}?\s*(?P=q15)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14118; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 15 ActiveX clsid access"; flow:to_client,established; file_data; content:"FA8932FF-E064-4378-901C-69CB94E3A20A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA8932FF-E064-4378-901C-69CB94E3A20A\s*}?\s*(?P=q13)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14116; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 14 ActiveX clsid access"; flow:to_client,established; file_data; content:"AE6C4705-0F11-4ACB-BDD4-37F138BEF289"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE6C4705-0F11-4ACB-BDD4-37F138BEF289\s*}?\s*(?P=q11)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14114; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 13 ActiveX clsid access"; flow:to_client,established; file_data; content:"AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4\s*}?\s*(?P=q9)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14112; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 12 ActiveX clsid access"; flow:to_client,established; file_data; content:"916063A5-0098-4FB7-8717-1B2C62DD4E45"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*916063A5-0098-4FB7-8717-1B2C62DD4E45\s*}?\s*(?P=q7)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14110; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 11 ActiveX clsid access"; flow:to_client,established; file_data; content:"905BF7D7-6BC1-445A-BE53-9478AC096BEB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*905BF7D7-6BC1-445A-BE53-9478AC096BEB\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14108; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 10 ActiveX clsid access"; flow:to_client,established; file_data; content:"F1F51698-7B63-4394-8743-1F4CF1853DE1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F1F51698-7B63-4394-8743-1F4CF1853DE1\s*}?\s*(?P=q3)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14106; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"CF08D263-B832-42DB-8950-F40C9E672E27"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF08D263-B832-42DB-8950-F40C9E672E27\s*}?\s*(?P=q141)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14104; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 8 ActiveX clsid access"; flow:to_client,established; file_data; content:"108092BF-B7DB-40D1-B7FB-F55922FCC9BE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*108092BF-B7DB-40D1-B7FB-F55922FCC9BE\s*}?\s*(?P=q139)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14102; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA\s*}?\s*(?P=q133)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14100; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"69C462E1-CD41-49E3-9EC2-D305155718C1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*69C462E1-CD41-49E3-9EC2-D305155718C1\s*}?\s*(?P=q111)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14098; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"101D2283-EED9-4BA2-8F3F-23DB860946EB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*101D2283-EED9-4BA2-8F3F-23DB860946EB\s*}?\s*(?P=q89)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14096; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"F89EF74A-956B-4BD3-A066-4F23DF891982"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F89EF74A-956B-4BD3-A066-4F23DF891982\s*}?\s*(?P=q67)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14094; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"76EE578D-314B-4755-8365-6E1722C001A2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*76EE578D-314B-4755-8365-6E1722C001A2\s*}?\s*(?P=q45)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14092; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9\s*}?\s*(?P=q23)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14090; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"B60770C2-0390-41A8-A8DE-61889888D840"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B60770C2-0390-41A8-A8DE-61889888D840\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14088; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Stream Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer Stream Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Stream\s*Handler\x22|\x27rmocx\.RealPlayer\s*Stream\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Stream\s*Handler\x22|\x27rmocx\.RealPlayer\s*Stream\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14052; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer SMIL Download Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer SMIL Download Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14050; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RNX Download Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer RNX Download Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14048; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMP Download Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer RMP Download Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14046; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Playback Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer Playback Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Playback\s*Handler\x22|\x27rmocx\.RealPlayer\s*Playback\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Playback\s*Handler\x22|\x27rmocx\.RealPlayer\s*Playback\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14044; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer General Property Page ActiveX clsid access"; flow:to_client,established; file_data; content:"CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q6)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14042; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Computer Associates gui_cm_ctrls ActiveX function call access"; flow:to_client,established; file_data; content:"CommonActiveX.ITRMLegendsCtrl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CommonActiveX\.ITRMLegendsCtrl\.1\x22|\x27CommonActiveX\.ITRMLegendsCtrl\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetColumnColor\s*|.*(?P=v)\s*\.\s*SetColumnColor\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CommonActiveX\.ITRMLegendsCtrl\.1\x22|\x27CommonActiveX\.ITRMLegendsCtrl\.1\x27)\s*\)(\s*\.\s*SetColumnColor\s*|.*(?P=n)\s*\.\s*SetColumnColor\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1786; classtype:attempted-user; sid:14031; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Computer Associates gui_cm_ctrls ActiveX clsid access"; flow:to_client,established; file_data; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnColor)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnColor))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1786; classtype:attempted-user; sid:14029; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA DSM gui_cm_ctrls ActiveX function call access"; flow:to_client,established; file_data; content:"CommonActiveX.ITRMLegendsCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CommonActiveX\.ITRMLegendsCtrl\x22|\x27CommonActiveX\.ITRMLegendsCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetColumnColor|SetColumnLabel)\s*|.*(?P=v)\s*\.\s*(SetColumnColor|SetColumnLabel)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CommonActiveX\.ITRMLegendsCtrl\x22|\x27CommonActiveX\.ITRMLegendsCtrl\x27)\s*\)(\s*\.\s*(SetColumnColor|SetColumnLabel)\s*|.*(?P=n)\s*\.\s*(SetColumnColor|SetColumnLabel)\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28809; reference:cve,2008-1786; classtype:attempted-user; sid:14027; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access"; flow:to_client,established; file_data; content:"MSMask.MaskEdBox"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?MSMask\.MaskEdBox/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:14023; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Message System ActiveX function call access"; flow:to_client,established; file_data; content:"Messenger.UIAutomation"; pcre:"/(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\x22|x27Messenger\x2eUIAutomation.*?(?P=var)\x2eMySigninName/"; metadata:service http; reference:cve,2008-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-050; classtype:attempted-user; sid:13967; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Message System ActiveX clsid access"; flow:to_client,established; file_data; content:"B69003B3-C55E-4b48-836C-BC5946FC3B28"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B69003B3-C55E-4b48-836C-BC5946FC3B28\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:cve,2008-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-050; classtype:attempted-user; sid:13965; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:13907; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:13903; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UUSee UUUpgrade ActiveX function call access"; flow:to_client,established; file_data; content:"UUUPGRADE.UUUpgradeCtrl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22UUUPGRADE\.UUUpgradeCtrl\.1\x22|\x27UUUPGRADE\.UUUpgradeCtrl\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Update\s*|.*(?P=v)\s*\.\s*Update\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UUUPGRADE\.UUUpgradeCtrl\.1\x22|\x27UUUPGRADE\.UUUpgradeCtrl\.1\x27)\s*\)(\s*\.\s*Update\s*|.*(?P=n)\s*\.\s*Update\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,29963; reference:cve,2008-7168; classtype:attempted-user; sid:13885; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UUSee UUUpgrade ActiveX clsid access"; flow:to_client,established; file_data; content:"2CACD7BB-1C59-4BBB-8E81-6E83F82C813B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CACD7BB-1C59-4BBB-8E81-6E83F82C813B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Update)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CACD7BB-1C59-4BBB-8E81-6E83F82C813B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Update))\s*\(/si"; metadata:service http; reference:bugtraq,29963; reference:cve,2008-7168; classtype:attempted-user; sid:13883; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Instant Support DataManager ActiveX function call access"; flow:to_client,established; file_data; content:"HPISDataManagerLib.Datamgr"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HPISDataManagerLib\.Datamgr\x22|\x27HPISDataManagerLib\.Datamgr\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*|.*(?P=v)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HPISDataManagerLib\.Datamgr\x22|\x27HPISDataManagerLib\.Datamgr\x27)\s*\)(\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*|.*(?P=n)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,29530; reference:bugtraq,29531; reference:bugtraq,29532; reference:bugtraq,29533; reference:bugtraq,29534; reference:bugtraq,29535; reference:bugtraq,29536; reference:cve,2007-5605; reference:cve,2007-5606; reference:cve,2007-5607; reference:cve,2007-5608; reference:cve,2007-5610; reference:cve,2008-0952; reference:cve,2008-0953; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13859; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Instant Support DataManager ActiveX clsid access"; flow:to_client,established; file_data; content:"14C1B87C-3342-445F-9B5E-365FF330A3AC"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14C1B87C-3342-445F-9B5E-365FF330A3AC\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14C1B87C-3342-445F-9B5E-365FF330A3AC\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile))\s*\(/si"; metadata:service http; reference:bugtraq,29530; reference:bugtraq,29531; reference:bugtraq,29532; reference:bugtraq,29533; reference:bugtraq,29534; reference:bugtraq,29535; reference:bugtraq,29536; reference:cve,2007-5605; reference:cve,2007-5606; reference:cve,2007-5607; reference:cve,2007-5608; reference:cve,2007-5610; reference:cve,2008-0952; reference:cve,2008-0953; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13857; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer backweb ActiveX clsid access"; flow:to_client,established; file_data; content:"40F23EB7-B397-4285-8F3C-AACE4FA40309"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*40F23EB7-B397-4285-8F3C-AACE4FA40309\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13832; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3bee4890-4fe9-4a37-8c1e-5e7e12791c1f"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13830; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"47206204-5eca-11d2-960f-00c04f8ee628"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13828; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ourgame GLWorld ActiveX function call access"; flow:to_client,established; file_data; content:"HanGamePluginCn18.HanGamePluginCn18"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HanGamePluginCn18\.HanGamePluginCn18\x22|\x27HanGamePluginCn18\.HanGamePluginCn18\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(hgs_startGame|hgs_startNotify)\s*|.*(?P=v)\s*\.\s*(hgs_startGame|hgs_startNotify)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HanGamePluginCn18\.HanGamePluginCn18\x22|\x27HanGamePluginCn18\.HanGamePluginCn18\x27)\s*\)(\s*\.\s*(hgs_startGame|hgs_startNotify)\s*|.*(?P=n)\s*\.\s*(hgs_startGame|hgs_startNotify)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13787; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ourgame GLWorld ActiveX clsid access"; flow:to_client,established; file_data; content:"61F5C358-60FB-4A23-A312-D2B556620F20"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(hgs_startGame|hgs_startNotify)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(hgs_startGame|hgs_startNotify))\s*\(/si"; metadata:service http; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13785; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Assistant ActiveX clsid access"; flow:to_client,established; file_data; content:"2283BB66-A15D-4AC8-BA72-9C8C9F5A1691"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2283BB66-A15D-4AC8-BA72-9C8C9F5A1691\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,29065; reference:cve,2008-2111; classtype:attempted-user; sid:13783; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft HeartbeatCtl ActiveX function call access"; flow:to_client,established; file_data; content:"HeartbeatCtl.HeartbeatCt"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HeartbeatCtl\.HeartbeatCt\x22|\x27HeartbeatCtl\.HeartbeatCt\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HeartbeatCtl\.HeartbeatCt\x22|\x27HeartbeatCtl\.HeartbeatCt\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,28882; reference:cve,2007-6255; classtype:attempted-user; sid:13760; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft HeartbeatCtl ActiveX clsid access"; flow:to_client,established; file_data; content:"E5D419D6-A846-4514-9FAD-97E826C84822"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E5D419D6-A846-4514-9FAD-97E826C84822\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,28882; reference:cve,2007-6255; classtype:attempted-user; sid:13758; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 21 ActiveX clsid access"; flow:to_client,established; file_data; content:"E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0\s*}?\s*(?P=q29)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13756; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 20 ActiveX clsid access"; flow:to_client,established; file_data; content:"DE233AFF-8BD5-457E-B7F0-702DBEA5A828"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE233AFF-8BD5-457E-B7F0-702DBEA5A828\s*}?\s*(?P=q27)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13754; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 19 ActiveX clsid access"; flow:to_client,established; file_data; content:"DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772\s*}?\s*(?P=q22)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13752; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 18 ActiveX clsid access"; flow:to_client,established; file_data; content:"CF6866F9-B67C-4B24-9957-F91E91E788DC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF6866F9-B67C-4B24-9957-F91E91E788DC\s*}?\s*(?P=q20)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13750; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 17 ActiveX clsid access"; flow:to_client,established; file_data; content:"C94188F6-0F9F-46B3-8B78-D71907BD8B77"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C94188F6-0F9F-46B3-8B78-D71907BD8B77\s*}?\s*(?P=q18)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13748; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 16 ActiveX clsid access"; flow:to_client,established; file_data; content:"C70D0641-DDE1-4FD7-A4D4-DA187B80741D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C70D0641-DDE1-4FD7-A4D4-DA187B80741D\s*}?\s*(?P=q16)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13746; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 15 ActiveX clsid access"; flow:to_client,established; file_data; content:"BF931895-AF82-467A-8819-917C6EE2D1F3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF931895-AF82-467A-8819-917C6EE2D1F3\s*}?\s*(?P=q14)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13744; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 14 ActiveX clsid access"; flow:to_client,established; file_data; content:"B9C13CD0-5A97-4C6B-8A50-7638020E2462"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B9C13CD0-5A97-4C6B-8A50-7638020E2462\s*}?\s*(?P=q12)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13742; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 13 ActiveX clsid access"; flow:to_client,established; file_data; content:"AB237044-8A3B-42BB-9EE1-9BFA6721D9ED"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AB237044-8A3B-42BB-9EE1-9BFA6721D9ED\s*}?\s*(?P=q10)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13740; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 12 ActiveX clsid access"; flow:to_client,established; file_data; content:"AB049B11-607B-46C8-BBF7-F4D6AF301046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AB049B11-607B-46C8-BBF7-F4D6AF301046\s*}?\s*(?P=q8)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13738; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 11 ActiveX clsid access"; flow:to_client,established; file_data; content:"A95845D8-8463-4605-B5FB-4F8CFBAC5C47"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A95845D8-8463-4605-B5FB-4F8CFBAC5C47\s*}?\s*(?P=q6)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13736; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"910E7ADE-7F75-402D-A4A6-BB1A82362FCA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*910E7ADE-7F75-402D-A4A6-BB1A82362FCA\s*}?\s*(?P=q43)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13732; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 8 ActiveX clsid access"; flow:to_client,established; file_data; content:"784F2933-6BDD-4E5F-B1BA-A8D99B603649"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*784F2933-6BDD-4E5F-B1BA-A8D99B603649\s*}?\s*(?P=q41)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13730; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"6470DE80-1635-4B5D-93A3-3701CE148A79"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6470DE80-1635-4B5D-93A3-3701CE148A79\s*}?\s*(?P=q39)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13728; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"60178279-6D62-43af-A336-77925651A4C6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*60178279-6D62-43af-A336-77925651A4C6\s*}?\s*(?P=q37)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13726; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"4774922A-8983-4ECC-94FD-7235F06F53A1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4774922A-8983-4ECC-94FD-7235F06F53A1\s*}?\s*(?P=q35)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13724; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"42C68651-1700-4750-A81F-A1F5110E0F66"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42C68651-1700-4750-A81F-A1F5110E0F66\s*}?\s*(?P=q33)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13722; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"17E67D4A-23A1-40D8-A049-EE34C0AF756A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17E67D4A-23A1-40D8-A049-EE34C0AF756A\s*}?\s*(?P=q31)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13720; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA DSM gui_cm_ctrls ActiveX clsid access"; flow:to_client,established; file_data; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnColor|SetColumnLabel)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnColor|SetColumnLabel))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28809; reference:cve,2008-1786; classtype:attempted-user; sid:13699; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat HTTP 2 ActiveX function call access"; flow:to_client,established; file_data; content:"CHILKATHTTPLib.ChilkatHttpRequest"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CHILKATHTTPLib\.ChilkatHttpRequest\x22|\x27CHILKATHTTPLib\.ChilkatHttpRequest\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=v)\s*\.\s*SaveLastError\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CHILKATHTTPLib\.ChilkatHttpRequest\x22|\x27CHILKATHTTPLib\.ChilkatHttpRequest\x27)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=n)\s*\.\s*SaveLastError\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13691; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat HTTP 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"B973393F-27C7-4781-877D-8626AAEDF119"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B973393F-27C7-4781-877D-8626AAEDF119\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B973393F-27C7-4781-877D-8626AAEDF119\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveLastError))\s*\(/si"; metadata:service http; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13689; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat HTTP 1 ActiveX function call access"; flow:to_client,established; file_data; content:"CHILKATHTTPLib.ChilkatHttp"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CHILKATHTTPLib\.ChilkatHttp\x22|\x27CHILKATHTTPLib\.ChilkatHttp\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=v)\s*\.\s*SaveLastError\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CHILKATHTTPLib\.ChilkatHttp\x22|\x27CHILKATHTTPLib\.ChilkatHttp\x27)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=n)\s*\.\s*SaveLastError\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13687; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat HTTP 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"39E861BD-E606-4733-8C79-FADDFD61DC8A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39E861BD-E606-4733-8C79-FADDFD61DC8A\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39E861BD-E606-4733-8C79-FADDFD61DC8A\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveLastError))\s*\(/si"; metadata:service http; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13685; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CDNetworks Nefficient Download ActiveX function call access"; flow:to_client,established; file_data; content:"NeffyLauncher.NeffyLauncherCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NeffyLauncher\.NeffyLauncherCtl\x22|\x27NeffyLauncher\.NeffyLauncherCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(HttpSkin|SkinPath)\s*|.*(?P=v)\s*\.\s*(HttpSkin|SkinPath)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NeffyLauncher\.NeffyLauncherCtl\x22|\x27NeffyLauncher\.NeffyLauncherCtl\x27)\s*\)(\s*\.\s*(HttpSkin|SkinPath)\s*|.*(?P=n)\s*\.\s*(HttpSkin|SkinPath))\s*=/smi"; metadata:service http; reference:bugtraq,28666; reference:cve,2008-1885; reference:cve,2008-1886; classtype:attempted-user; sid:13683; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CDNetworks Nefficient Download ActiveX clsid access"; flow:to_client,established; file_data; content:"AA07EBD2-EBDD-4BD6-9F8F-114BD513492C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA07EBD2-EBDD-4BD6-9F8F-114BD513492C\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(HttpSkin|SkinPath)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA07EBD2-EBDD-4BD6-9F8F-114BD513492C\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(HttpSkin|SkinPath))\s*=/si"; metadata:service http; reference:bugtraq,28666; reference:cve,2008-1885; reference:cve,2008-1886; classtype:attempted-user; sid:13681; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access"; flow:established,to_client; file_data; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*WriteOFXDataFile|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.WriteOFXDataFile)/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,28700; reference:cve,2008-1725; classtype:attempted-user; sid:13679; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeralSoft HTTP File Upload ActiveX clsid access"; flow:to_client,established; file_data; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*04FD48E6-0712-4937-B09E-F3D285B11D82\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*RemoveFileOrDir|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*04FD48E6-0712-4937-B09E-F3D285B11D82\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.RemoveFileOrDir)\s*\(/si"; metadata:service http; reference:bugtraq,28301; reference:cve,2008-6638; classtype:attempted-user; sid:13661; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BusinessObjects RptViewerAx ActiveX function call access"; flow:to_client,established; file_data; content:"BusinessObjects.RptViewerAX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22BusinessObjects\.RptViewerAX\x22|\x27BusinessObjects\.RptViewerAX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BusinessObjects\.RptViewerAX\x22|\x27BusinessObjects\.RptViewerAX\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,28292; reference:cve,2007-6254; classtype:attempted-user; sid:13659; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BusinessObjects RptViewerAx ActiveX clsid access"; flow:to_client,established; file_data; content:"B20D9D6A-0DEC-4d76-9BEF-175896006B4A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B20D9D6A-0DEC-4d76-9BEF-175896006B4A\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,28292; reference:cve,2007-6254; classtype:attempted-user; sid:13657; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA BrightStor ListCtrl ActiveX function call access"; flow:to_client,established; file_data; content:"LISTCTRL.ListCtrlCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LISTCTRL\.ListCtrlCtrl\x22|\x27LISTCTRL\.ListCtrlCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddColumn\s*|.*(?P=v)\s*\.\s*AddColumn\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LISTCTRL\.ListCtrlCtrl\x22|\x27LISTCTRL\.ListCtrlCtrl\x27)\s*\)(\s*\.\s*AddColumn\s*|.*(?P=n)\s*\.\s*AddColumn\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:13623; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer G2 Control"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Console\s*|.*(?P=v)\s*\.\s*Console\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\)(\s*\.\s*Console\s*|.*(?P=n)\s*\.\s*Console)\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; classtype:attempted-user; sid:13609; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid access"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Console)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Console))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; classtype:attempted-user; sid:13607; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RAM Download Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer RAM Download Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:13605; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kingsoft Antivirus Online Update Module ActiveX function call access"; flow:to_client,established; file_data; content:"UpdateOcx2.KUpdateObj2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22UpdateOcx2\.KUpdateObj2\x22|\x27UpdateOcx2\.KUpdateObj2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetUninstallName\s*|.*(?P=v)\s*\.\s*SetUninstallName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UpdateOcx2\.KUpdateObj2\x22|\x27UpdateOcx2\.KUpdateObj2\x27)\s*\)(\s*\.\s*SetUninstallName\s*|.*(?P=n)\s*\.\s*SetUninstallName\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,28172; reference:cve,2008-1307; classtype:attempted-user; sid:13601; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kingsoft Antivirus Online Update Module ActiveX clsid access"; flow:to_client,established; file_data; content:"D82303B7-A754-4DCB-8AFC-8CF99435AACE"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D82303B7-A754-4DCB-8AFC-8CF99435AACE\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SetUninstallName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D82303B7-A754-4DCB-8AFC-8CF99435AACE\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetUninstallName))\s*\(/si"; metadata:service http; reference:bugtraq,28172; reference:cve,2008-1307; classtype:attempted-user; sid:13599; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICQ Toolbar toolbaru.dll ActiveX function call access"; flow:to_client,established; file_data; content:"XTTB00001.XTTB00001"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22XTTB00001\.XTTB00001\x22|\x27XTTB00001\.XTTB00001\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(IsChecked|GetPropertyById)\s*|.*(?P=v)\s*\.\s*(IsChecked|GetPropertyById)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22XTTB00001\.XTTB00001\x22|\x27XTTB00001\.XTTB00001\x27)\s*\)(\s*\.\s*(IsChecked|GetPropertyById)\s*|.*(?P=n)\s*\.\s*(IsChecked|GetPropertyById)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,28086; reference:bugtraq,28118; reference:cve,2008-7135; reference:cve,2008-7136; classtype:attempted-user; sid:13597; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICQ Toolbar toolbaru.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"855F3B16-6D32-4FE6-8A56-BBB695989046"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*855F3B16-6D32-4FE6-8A56-BBB695989046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(IsChecked|GetPropertyById)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*855F3B16-6D32-4FE6-8A56-BBB695989046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(IsChecked|GetPropertyById))\s*\(/si"; metadata:service http; reference:bugtraq,28086; reference:bugtraq,28118; reference:cve,2008-7135; reference:cve,2008-7136; classtype:attempted-user; sid:13595; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components remote code execution attempt ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E511-0000-0000-C000-000000000046"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E511-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; content:"CSVData"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:13580; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sony ImageStation ActiveX function call access"; flow:to_client,established; file_data; content:"AxRUploadServer.AxRUploadControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AxRUploadServer\.AxRUploadControl\x22|\x27AxRUploadServer\.AxRUploadControl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetLogging\s*|.*(?P=v)\s*\.\s*SetLogging\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxRUploadServer\.AxRUploadControl\x22|\x27AxRUploadServer\.AxRUploadControl\x27)\s*\)(\s*\.\s*SetLogging\s*|.*(?P=n)\s*\.\s*SetLogging\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27715; reference:cve,2008-0748; classtype:attempted-user; sid:13549; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sony ImageStation ActiveX clsid access"; flow:to_client,established; file_data; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9A7F56F-C40F-4928-8C6F-7A72F2A25222\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetLogging)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9A7F56F-C40F-4928-8C6F-7A72F2A25222\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetLogging))\s*\(/si"; metadata:service http; reference:bugtraq,27715; reference:cve,2008-0748; classtype:attempted-user; sid:13547; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Learn2 STRunner ActiveX function call access"; flow:to_client,established; file_data; content:"STRunner.Popup1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22STRunner\.Popup1\x22|\x27STRunner\.Popup1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22STRunner\.Popup1\x22|\x27STRunner\.Popup1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,28058; reference:cve,2007-6252; classtype:attempted-user; sid:13545; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Learn2 STRunner ActiveX clsid access"; flow:to_client,established; file_data; content:"0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,28058; reference:cve,2007-6252; classtype:attempted-user; sid:13543; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX function call access"; flow:to_client,established; file_data; content:"iPVATLCalendar.PVCalendar"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iPVATLCalendar\.PVCalendar\x22|\x27iPVATLCalendar\.PVCalendar\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*save\s*|.*(?P=v)\s*\.\s*save\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPVATLCalendar\.PVCalendar\x22|\x27iPVATLCalendar\.PVCalendar\x27)\s*\)(\s*\.\s*save\s*|.*(?P=n)\s*\.\s*save\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26904; reference:cve,2007-6016; reference:url,www.symantec.com/avcenter/security/Content/2008.02.28.html; classtype:attempted-user; sid:13541; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vivotek RTSP MPEG4 SP Control ActiveX function call access"; flow:to_client,established; file_data; content:"RtspVaPgDecoder.RtspVaPgCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22RtspVaPgDecoder\.RtspVaPgCtrl\x22|\x27RtspVaPgDecoder\.RtspVaPgCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RtspVaPgDecoder\.RtspVaPgCtrl\x22|\x27RtspVaPgDecoder\.RtspVaPgCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13537; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vivotek RTSP MPEG4 SP Control ActiveX clsid access"; flow:to_client,established; file_data; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45830FF9-D9E6-4F41-86ED-B266933D8E90\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(url)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45830FF9-D9E6-4F41-86ED-B266933D8E90\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13535; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS 4xem VatCtrl ActiveX function call access"; flow:to_client,established; file_data; content:"VATDecoder.VatCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VATDecoder\.VatCtrl\x22|\x27VATDecoder\.VatCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VATDecoder\.VatCtrl\x22|\x27VATDecoder\.VatCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13533; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS 4xem VatCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*210D0CBC-8B17-48D1-B294-1A338DD2EB3A\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(url)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*210D0CBC-8B17-48D1-B294-1A338DD2EB3A\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13531; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS D-Link MPEG4 SHM Audio Control ActiveX function call access"; flow:to_client,established; file_data; content:"VAPgDecoder.VaPgCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VAPgDecoder\.VaPgCtrl\x22|\x27VAPgDecoder\.VaPgCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VAPgDecoder\.VaPgCtrl\x22|\x27VAPgDecoder\.VaPgCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13529; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS D-Link MPEG4 SHM Audio Control ActiveX clsid access"; flow:to_client,established; file_data; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(url)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:service http; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13527; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual FoxPro foxtlib ActiveX clsid access"; flow:to_client,established; file_data; content:"22852ee3-b01b-11cf-b826-00a0c9055d9e"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22852ee3-b01b-11cf-b826-00a0c9055d9e\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FoxDoCmd)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22852ee3-b01b-11cf-b826-00a0c9055d9e\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(FoxDoCmd))\s*\(/si"; metadata:service http; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:13451; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GlobalLink HanGamePlugin ActiveX clsid access"; flow:to_client,established; file_data; content:"61F5C358-60FB-4A23-A312-D2B556620F20"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(hgs_startNotify)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(hgs_startNotify))\s*\(/si"; metadata:service http; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13446; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 5 Property Overflows ActiveX function call access"; flow:to_client,established; file_data; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=v)\s*\.\s*(ExtractIptc|ExtractExif)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=n)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13444; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 5 Property Overflows ActiveX clsid access"; flow:to_client,established; file_data; content:"BA162249-F2C5-4851-8ADC-FC58CB424243"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(ExtractIptc|ExtractExif)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13442; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call access"; flow:to_client,established; file_data; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=v)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=n)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13440; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid access"; flow:to_client,established; file_data; content:"BA162249-F2C5-4851-8ADC-FC58CB424243"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(GotoFolder|CanGotoFolder)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(GotoFolder|CanGotoFolder))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13438; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 4 Property Overflows ActiveX function call access"; flow:to_client,established; file_data; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=v)\s*\.\s*(ExtractIptc|ExtractExif)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=n)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13436; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 4 Property Overflows ActiveX clsid access"; flow:to_client,established; file_data; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ExtractIptc|ExtractExif)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13434; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music JukeBox MediaGrid ActiveX function call access"; flow:to_client,established; file_data; content:"YMG.YMGMediaGridAx"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YMG\.YMGMediaGridAx\x22|\x27YMG\.YMGMediaGridAx\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddBitmap\s*|.*(?P=v)\s*\.\s*AddBitmap\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMG\.YMGMediaGridAx\x22|\x27YMG\.YMGMediaGridAx\x27)\s*\)(\s*\.\s*AddBitmap\s*|.*(?P=n)\s*\.\s*AddBitmap\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27578; reference:cve,2008-0625; classtype:attempted-user; sid:13432; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music JukeBox MediaGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"22FD7C0A-850C-4A53-9821-0B0915C96139"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22FD7C0A-850C-4A53-9821-0B0915C96139\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(AddBitmap)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22FD7C0A-850C-4A53-9821-0B0915C96139\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(AddBitmap))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27578; reference:cve,2008-0625; classtype:attempted-user; sid:13430; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music JukeBox DataGrid ActiveX function call access"; flow:to_client,established; file_data; content:"YMP.YMPDatagrid"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YMP\.YMPDatagrid\x22|\x27YMP\.YMPDatagrid\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddImage|AddButton)\s*|.*(?P=v)\s*\.\s*(AddImage|AddButton)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMP\.YMPDatagrid\x22|\x27YMP\.YMPDatagrid\x27)\s*\)(\s*\.\s*(AddImage|AddButton)\s*|.*(?P=n)\s*\.\s*(AddImage|AddButton)\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,27579; reference:cve,2008-0624; classtype:attempted-user; sid:13428; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music JukeBox DataGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5F810AFC-BB5F-4416-BE63-E01DD117BD6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddImage|AddButton)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5F810AFC-BB5F-4416-BE63-E01DD117BD6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddImage|AddButton))\s*\(/Osi"; metadata:service http; reference:bugtraq,27579; reference:cve,2008-0624; classtype:attempted-user; sid:13426; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SwiftView ActiveX clsid access"; flow:to_client,established; file_data; content:"7DD62E58-5FA8-11D2-AFB7-00104B64F126"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7DD62E58-5FA8-11D2-AFB7-00104B64F126\s*}?\s*(?P=q6)(\s|>)/si"; metadata:service http; reference:bugtraq,27527; reference:cve,2007-5602; reference:url,www.swiftview.com/tech/security/bulletins/SBSV-07-10-02.htm; classtype:attempted-user; sid:13423; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Virtual Rooms ActiveX function call access"; flow:to_client,established; file_data; content:"WebHPVCInstall.HPVirtualRooms14"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22WebHPVCInstall\.HPVirtualRooms14\x22|\x27WebHPVCInstall\.HPVirtualRooms14\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*|.*(?P=v)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebHPVCInstall\.HPVirtualRooms14\x22|\x27WebHPVCInstall\.HPVirtualRooms14\x27)\s*\)(\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*|.*(?P=n)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot))\s*=/smi"; metadata:service http; reference:bugtraq,27384; reference:cve,2008-0437; classtype:attempted-user; sid:13354; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Lycos File Upload Component ActiveX function call access"; flow:to_client,established; file_data; content:"FileUploader.FUploadCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22FileUploader\.FUploadCtl\x22|\x27FileUploader\.FUploadCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*HandwriterFilename\s*|.*(?P=v)\s*\.\s*HandwriterFilename\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FileUploader\.FUploadCtl\x22|\x27FileUploader\.FUploadCtl\x27)\s*\)(\s*\.\s*HandwriterFilename\s*|.*(?P=n)\s*\.\s*HandwriterFilename)\s*=/smi"; metadata:service http; reference:bugtraq,27411; reference:cve,2008-0443; classtype:attempted-user; sid:13352; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Move Networks Media Player ActiveX function call access"; flow:to_client,established; file_data; content:"QSP2IE.QSP2IE"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22QSP2IE\.QSP2IE\x22|\x27QSP2IE\.QSP2IE\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Upgrade\s*|.*(?P=v)\s*\.\s*Upgrade\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22QSP2IE\.QSP2IE\x22|\x27QSP2IE\.QSP2IE\x27)\s*\)(\s*\.\s*Upgrade\s*|.*(?P=n)\s*\.\s*Upgrade\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27438; reference:cve,2008-0477; classtype:attempted-user; sid:13350; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Move Networks Media Player ActiveX clsid access"; flow:to_client,established; file_data; content:"6054D082-355D-4B47-B77C-36A778899F48"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6054D082-355D-4B47-B77C-36A778899F48\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Upgrade)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6054D082-355D-4B47-B77C-36A778899F48\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Upgrade))\s*\(/si"; metadata:service http; reference:bugtraq,27438; reference:cve,2008-0477; classtype:attempted-user; sid:13348; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Comodo AntiVirus ActiveX clsid access"; flow:to_client,established; file_data; content:"309F674D-E4D3-46BD-B9E2-ED7DFD7FD176"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*309F674D-E4D3-46BD-B9E2-ED7DFD7FD176\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(ExecuteStr)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*309F674D-E4D3-46BD-B9E2-ED7DFD7FD176\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(ExecuteStr))\s*\(/si"; metadata:service http; reference:bugtraq,27424; reference:cve,2008-0470; classtype:attempted-user; sid:13337; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Lycos File Upload Component ActiveX clsid access"; flow:to_client,established; file_data; content:"C36112BF-2FA3-4694-8603-3B510EA3B465"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C36112BF-2FA3-4694-8603-3B510EA3B465\s*}?\s*(?P=q18)(\s|>).*(?P=id1)\s*\.\s*(HandwriterFilename)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C36112BF-2FA3-4694-8603-3B510EA3B465\s*}?\s*(?P=q19)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(HandwriterFilename))\s*=/si"; metadata:service http; reference:bugtraq,27411; reference:cve,2008-0443; classtype:attempted-user; sid:13335; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Virtual Rooms ActiveX clsid access"; flow:to_client,established; file_data; content:"00000014-9593-4264-8B29-930B3E4EDCCD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000014-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q15)(\s|>).*(?P=id1)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000014-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q16)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot))\s*=/si"; metadata:service http; reference:bugtraq,27384; reference:cve,2008-0437; classtype:attempted-user; sid:13333; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Toshiba Surveillance Surveillix DVR ActiveX function call access"; flow:to_client,established; file_data; content:"RecordSend"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22RecordSend\x22|\x27RecordSend\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetPort|SetIPAddress)\s*|.*(?P=v)\s*\.\s*(SetPort|SetIPAddress)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RecordSend\x22|\x27RecordSend\x27)\s*\)(\s*\.\s*(SetPort|SetIPAddress)\s*|.*(?P=n)\s*\.\s*(SetPort|SetIPAddress)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27360; reference:cve,2008-0399; classtype:attempted-user; sid:13331; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Toshiba Surveillance Surveillix DVR ActiveX clsid access"; flow:to_client,established; file_data; content:"AD315309-EA00-45AE-9E8E-B6A61CE6B974"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD315309-EA00-45AE-9E8E-B6A61CE6B974\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(SetPort|SetIPAddress)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD315309-EA00-45AE-9E8E-B6A61CE6B974\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetPort|SetIPAddress))\s*\(/si"; metadata:service http; reference:bugtraq,27360; reference:cve,2008-0399; classtype:attempted-user; sid:13329; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision FLEXnet Connect ActiveX function call access"; flow:to_client,established; file_data; content:"MVSNClientDownloadManager61Lib.DownloadManager"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MVSNClientDownloadManager61Lib\.DownloadManager\x22|\x27MVSNClientDownloadManager61Lib\.DownloadManager\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddFile\s*|.*(?P=v)\s*\.\s*AddFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MVSNClientDownloadManager61Lib\.DownloadManager\x22|\x27MVSNClientDownloadManager61Lib\.DownloadManager\x27)\s*\)(\s*\.\s*AddFile\s*|.*(?P=n)\s*\.\s*AddFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27279; reference:cve,2008-4586; reference:cve,2008-4587; classtype:attempted-user; sid:13327; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision FLEXnet Connect ActiveX clsid access"; flow:to_client,established; file_data; content:"FCED4482-7CCB-4E6F-86C9-DCB22B52843C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCED4482-7CCB-4E6F-86C9-DCB22B52843C\s*}?\s*(?P=q5)(\s|>).*(?P=id1)\s*\.\s*(AddFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCED4482-7CCB-4E6F-86C9-DCB22B52843C\s*}?\s*(?P=q6)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddFile))\s*\(/si"; metadata:service http; reference:bugtraq,27279; reference:cve,2008-4586; reference:cve,2008-4587; classtype:attempted-user; sid:13325; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Package and Deployment Wizard ActiveX function call access"; flow:to_client,established; file_data; content:"PDWizard.SetupPkgPanels"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PDWizard\.SetupPkgPanels\x22|\x27PDWizard\.SetupPkgPanels\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.SetupPkgPanels\x22|\x27PDWizard\.SetupPkgPanels\x27)\s*\)/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25295; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-045; classtype:attempted-user; sid:13323; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS StreamAudio ProxyManager ActiveX function call access"; flow:to_client,established; file_data; content:"Ccpm.ProxyManager"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Ccpm\.ProxyManager\x22|\x27Ccpm\.ProxyManager\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InternalTuneIn\s*|.*(?P=v)\s*\.\s*InternalTuneIn\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Ccpm\.ProxyManager\x22|\x27Ccpm\.ProxyManager\x27)\s*\)(\s*\.\s*InternalTuneIn\s*|.*(?P=n)\s*\.\s*InternalTuneIn\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27247; reference:cve,2008-0248; classtype:attempted-user; sid:13314; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS StreamAudio ProxyManager ActiveX clsid access"; flow:to_client,established; file_data; content:"2253F320-AB68-4A07-917D-4F12D8884A06"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2253F320-AB68-4A07-917D-4F12D8884A06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InternalTuneIn)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2253F320-AB68-4A07-917D-4F12D8884A06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(InternalTuneIn))\s*\(/si"; metadata:service http; reference:bugtraq,27247; reference:cve,2008-0248; classtype:attempted-user; sid:13312; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual FoxPro 2 ActiveX function call access"; flow:to_client,established; file_data; content:"VisualFoxpro.Application"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VisualFoxpro\.Application\x22|\x27VisualFoxpro\.Application\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DoCmd\s*|.*(?P=v)\s*\.\s*DoCmd\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VisualFoxpro\.Application\x22|\x27VisualFoxpro\.Application\x27)\s*\)(\s*\.\s*DoCmd\s*|.*(?P=n)\s*\.\s*DoCmd\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27205; reference:cve,2008-0236; classtype:attempted-user; sid:13305; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Rich TextBox ActiveX function call access"; flow:to_client,established; file_data; content:"RICHTEXT.RichTextCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22RICHTEXT\.RichTextCtrl\x22|\x27RICHTEXT\.RichTextCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveFile\s*|.*(?P=v)\s*\.\s*SaveFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RICHTEXT\.RichTextCtrl\x22|\x27RICHTEXT\.RichTextCtrl\x27)\s*\)(\s*\.\s*SaveFile\s*|.*(?P=n)\s*\.\s*SaveFile\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13298; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Gatway CWebLaunchCtl ActiveX clsid access"; flow:to_client,established; file_data; content:"93CEA8A4-6059-4E0B-ADDD-73848153DD5E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93CEA8A4-6059-4E0B-ADDD-73848153DD5E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoWebLaunch)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93CEA8A4-6059-4E0B-ADDD-73848153DD5E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoWebLaunch))\s*\(/si"; metadata:service http; reference:bugtraq,27193; reference:cve,2008-0220; reference:url,www.kb.cert.org/vuls/id/735441; classtype:attempted-user; sid:13289; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivX Web Player ActiveX function call access"; flow:to_client,established; file_data; content:"npUpload.DivXContentUploadPlugin"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22npUpload\.DivXContentUploadPlugin\x22|\x27npUpload\.DivXContentUploadPlugin\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetPassword\s*|.*(?P=v)\s*\.\s*SetPassword\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22npUpload\.DivXContentUploadPlugin\x22|\x27npUpload\.DivXContentUploadPlugin\x27)\s*\)(\s*\.\s*SetPassword\s*|.*(?P=n)\s*\.\s*SetPassword\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,27106; reference:cve,2008-0090; classtype:attempted-user; sid:13275; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivX Web Player ActiveX clsid access"; flow:to_client,established; file_data; content:"D050D736-2D21-4723-AD58-5B541FFB6C11"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D050D736-2D21-4723-AD58-5B541FFB6C11\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetPassword)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D050D736-2D21-4723-AD58-5B541FFB6C11\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetPassword))\s*\(/si"; metadata:service http; reference:bugtraq,27106; reference:cve,2008-0090; classtype:attempted-user; sid:13273; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SkyFex Client ActiveX clsid access"; flow:to_client,established; file_data; content:"F84E0B64-1E86-4640-8094-5B38CEB28C1E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F84E0B64-1E86-4640-8094-5B38CEB28C1E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F84E0B64-1E86-4640-8094-5B38CEB28C1E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(start))\s*\(/si"; metadata:service http; reference:bugtraq,27059; reference:cve,2007-6605; classtype:attempted-user; sid:13266; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Persits Software XUpload ActiveX function call access"; flow:to_client,established; file_data; content:"Persits.XUpload"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Persits\.XUpload(\.\d)?\x22|\x27Persits\.XUpload(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*|.*(?P=v)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Persits\.XUpload(\.\d)?\x22|\x27Persits\.XUpload(\.\d)?\x27)\s*\)(\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*|.*(?P=n)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*)\s*\(/siO"; metadata:service http; reference:bugtraq,27025; reference:bugtraq,27456; reference:bugtraq,36550; reference:cve,2007-6530; reference:cve,2008-0492; reference:cve,2009-3693; classtype:attempted-user; sid:13234; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Persits Software XUpload ActiveX clsid access"; flow:to_client,established; file_data; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E87F6C8E-16C0-11D3-BEF7-009027438003\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E87F6C8E-16C0-11D3-BEF7-009027438003\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddFolder|AddFile|MakeHttpRequest))\s*\(/siO"; metadata:service http; reference:bugtraq,27025; reference:bugtraq,27456; reference:bugtraq,36550; reference:cve,2007-6530; reference:cve,2008-0492; reference:cve,2009-3693; classtype:attempted-user; sid:13232; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"CDAF9CEC-F3EC-4B22-ABA3-9726713560F8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDAF9CEC-F3EC-4B22-ABA3-9726713560F8\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(ReadTextFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDAF9CEC-F3EC-4B22-ABA3-9726713560F8\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(ReadTextFile))\s*\(/si"; metadata:service http; reference:bugtraq,26967; reference:cve,2007-6513; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13230; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"0C378864-D5C4-4D9C-854C-432E3BEC9CCB"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C378864-D5C4-4D9C-854C-432E3BEC9CCB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ReadValue)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C378864-D5C4-4D9C-854C-432E3BEC9CCB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ReadValue))\s*\(/si"; metadata:service http; reference:bugtraq,26967; reference:cve,2007-6513; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13228; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Toolbar YShortcut ActiveX function call access"; flow:to_client,established; file_data; content:"YShortcut_DLL.Shortcut"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YShortcut_DLL\.Shortcut\x22|\x27YShortcut_DLL\.Shortcut\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*IsTaggedBM\s*|.*(?P=v)\s*\.\s*IsTaggedBM\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YShortcut_DLL\.Shortcut\x22|\x27YShortcut_DLL\.Shortcut\x27)\s*\)(\s*\.\s*IsTaggedBM\s*|.*(?P=n)\s*\.\s*IsTaggedBM\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26956; reference:cve,2007-6535; classtype:attempted-user; sid:13226; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Import 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"823AA622-D72B-42d4-905D-FDD9FC9600FC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*823AA622-D72B-42d4-905D-FDD9FC9600FC\s*}?\s*(?P=q9)(\s|>)/si"; metadata:service http; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12969; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Import 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"AF54BFA2-474E-4b82-A5F3-B79E6F7A80B1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF54BFA2-474E-4b82-A5F3-B79E6F7A80B1\s*}?\s*(?P=q7)(\s|>)/si"; metadata:service http; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12967; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Import 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"C3C9CB67-F453-479a-9AB0-94AE65F2EB2F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3C9CB67-F453-479a-9AB0-94AE65F2EB2F\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12965; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Import 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"121E91E7-E915-4aa6-89F3-BA62D10A4C49"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*121E91E7-E915-4aa6-89F3-BA62D10A4C49\s*}?\s*(?P=q3)(\s|>)/si"; metadata:service http; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12963; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Import 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"AD5FBDB8-C518-47F7-B4F1-F1F58D21A716"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD5FBDB8-C518-47F7-B4F1-F1F58D21A716\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12961; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSN Heartbeat 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"ae1c01e3-0283-11d3-9b3f-00c04f8ef466"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ae1c01e3-0283-11d3-9b3f-00c04f8ef466\s*}?\s*(?P=q3)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12959; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSN Heartbeat 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"8c63daba-cba8-4b5d-a0f7-ae00f2920929"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8c63daba-cba8-4b5d-a0f7-ae00f2920929\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12957; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXLTPI.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"201ea564-a6f6-11d1-811d-00c04fb6db36"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201ea564-a6f6-11d1-811d-00c04fb6db36\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-069; classtype:attempted-user; sid:12954; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vantage Linguistics 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"66b4546f-c263-11d1-b1c9-444553540000"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66b4546f-c263-11d1-b1c9-444553540000\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12952; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vantage Linguistics 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"0f6a72b9-d3c5-4fce-89a3-4e3d19c3580a"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0f6a72b9-d3c5-4fce-89a3-4e3d19c3580a\s*}?\s*(?P=q3)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12950; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Vantage Linguistics 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"c1908682-7b2c-4ab0-b98e-183649a0bf84"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c1908682-7b2c-4ab0-b98e-183649a0bf84\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12948; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VideoLAN VLC ActiveX function call access"; flow:to_client,established; file_data; content:"VideoLAN.VLCPlugin"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VideoLAN\.VLCPlugin\x22|\x27VideoLAN\.VLCPlugin\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(addTarget|getVariable|setVariable)\s*|.*(?P=v)\s*\.\s*(addTarget|getVariable|setVariable)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VideoLAN\.VLCPlugin\x22|\x27VideoLAN\.VLCPlugin\x27)\s*\)(\s*\.\s*(addTarget|getVariable|setVariable)\s*|.*(?P=n)\s*\.\s*(addTarget|getVariable|setVariable)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26675; reference:cve,2007-6262; reference:url,www.videolan.org/sa0703.html; classtype:attempted-user; sid:12805; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VideoLAN VLC ActiveX clsid access"; flow:to_client,established; file_data; content:"E23FE9C6-778E-49D4-B537-38FCDE4887D8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E23FE9C6-778E-49D4-B537-38FCDE4887D8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(addTarget|getVariable|setVariable)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E23FE9C6-778E-49D4-B537-38FCDE4887D8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(addTarget|getVariable|setVariable))\s*\(/si"; metadata:service http; reference:bugtraq,26675; reference:cve,2007-6262; reference:url,www.videolan.org/sa0703.html; classtype:attempted-user; sid:12803; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call access attempt"; flow:to_client,established; file_data; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=v)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=n)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:12782; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GotoFolder|CanGotoFolder)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GotoFolder|CanGotoFolder))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:12780; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt"; flow:to_client,established; file_data; content:"VulObject = |22|IER|22| + |22|PCtl.I|22| + |22|ERP|22| + |22|Ctl.1|22 3B|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,26586; reference:cve,2006-6847; reference:cve,2007-5601; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:12775; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt"; flow:to_client,established; file_data; content:""; nocase; metadata:service http; reference:bugtraq,26536; reference:cve,2007-6144; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:12773; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"pps.setAttribute|28 22|classid|22|,|22|clsid|3A|5EC7C511-CD0F-42E6-830C-1BD9882F3458|22 29|"; nocase; metadata:service http; reference:bugtraq,25502; reference:cve,2007-4748; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:12772; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt"; flow:to_client,established; file_data; content:"storm.setAttribute|28 22|classid|22|,|22|clsid|3A|6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB|22 29|"; nocase; metadata:service http; reference:bugtraq,25601; reference:cve,2007-4816; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:12771; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer G2 Control"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport)\s*|.*(?P=v)\s*\.\s*(ParseWallClock|GetSourceTransport)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport)\s*|.*(?P=n)\s*\.\s*(ParseWallClock|GetSourceTransport)\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24658; reference:bugtraq,26660; reference:bugtraq,28157; reference:cve,2007-3410; reference:cve,2007-6224; reference:cve,2008-1309; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12768; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX function call access"; flow:to_client,established; file_data; content:"yt.ythelper"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22yt\.ythelper\x22|\x27yt\.ythelper\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*c\s*|.*(?P=v)\s*\.\s*c\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22yt\.ythelper\x22|\x27yt\.ythelper\x27)\s*\)(\s*\.\s*c\s*|.*(?P=n)\s*\.\s*c\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26656; reference:cve,2007-6228; classtype:attempted-user; sid:12764; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX clsid access"; flow:to_client,established; file_data; content:"02478D38-C3F9-4EFB-9B51-7695ECA05670"; fast_pattern:only; metadata:service http; reference:bugtraq,26656; reference:cve,2007-6228; classtype:attempted-user; sid:12762; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PPStream PowerList ActiveX clsid access"; flow:to_client,established; file_data; content:"20C2C286-BDE8-441B-B73D-AFA22D914DA5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*20C2C286-BDE8-441B-B73D-AFA22D914DA5\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SetBkImage)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*20C2C286-BDE8-441B-B73D-AFA22D914DA5\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetBkImage))\s*\(/si"; metadata:service http; reference:bugtraq,26580; classtype:attempted-user; sid:12755; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RichFX Basic Player ActiveX function call access"; flow:to_client,established; file_data; content:"RFXInstMgr.RFXInstMgr"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22RFXInstMgr\.RFXInstMgr\x22|\x27RFXInstMgr\.RFXInstMgr\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoInstall|QueryComponents)\s*|.*(?P=v)\s*\.\s*(DoInstall|QueryComponents)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RFXInstMgr\.RFXInstMgr\x22|\x27RFXInstMgr\.RFXInstMgr\x27)\s*\)(\s*\.\s*(DoInstall|QueryComponents)\s*|.*(?P=n)\s*\.\s*(DoInstall|QueryComponents)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26573; classtype:attempted-user; sid:12753; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RichFX Basic Player ActiveX clsid access"; flow:to_client,established; file_data; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47F59200-8783-11D2-8343-00A0C945A819\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoInstall|QueryComponents)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47F59200-8783-11D2-8343-00A0C945A819\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoInstall|QueryComponents))\s*\(/si"; metadata:service http; reference:bugtraq,26573; classtype:attempted-user; sid:12751; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BitDefender Online Scanner ActiveX function call access"; flow:to_client,established; file_data; content:"BDSCANONLINE.BDSCANONLINECtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x22|\x27BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InitX\s*|.*(?P=v)\s*\.\s*InitX\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x22|\x27BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x27)\s*\)(\s*\.\s*InitX\s*|.*(?P=n)\s*\.\s*InitX\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,26210; reference:cve,2007-5775; classtype:attempted-user; sid:12749; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BitDefender Online Scanner ActiveX clsid access"; flow:to_client,established; file_data; content:"5D86DDB5-BDF9-441B-9E9E-D4730F4EE499"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5D86DDB5-BDF9-441B-9E9E-D4730F4EE499\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InitX)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5D86DDB5-BDF9-441B-9E9E-D4730F4EE499\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(InitX))\s*\(/siO"; metadata:service http; reference:bugtraq,26210; reference:cve,2007-5775; classtype:attempted-user; sid:12747; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Xunlei Thunder PPLAYER.DLL ActiveX function call access"; flow:to_client,established; file_data; content:"PPlayer.XPPlayer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PPlayer\.XPPlayer\x22|\x27PPlayer\.XPPlayer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FlvPlayerUrl\s*|.*(?P=v)\s*\.\s*FlvPlayerUrl\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PPlayer\.XPPlayer\x22|\x27PPlayer\.XPPlayer\x27)\s*\)(\s*\.\s*FlvPlayerUrl\s*|.*(?P=n)\s*\.\s*FlvPlayerUrl\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12739; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Xunlei Thunder PPLAYER.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"F3E70CEA-956E-49CC-B444-73AFE593AD7F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3E70CEA-956E-49CC-B444-73AFE593AD7F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FlvPlayerUrl)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3E70CEA-956E-49CC-B444-73AFE593AD7F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(FlvPlayerUrl))\s*\(/si"; metadata:service http; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12737; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ComponentOne FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"VSFlexGrid.VSFlexGridL"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VSFlexGrid\.VSFlexGridL\x22|\x27VSFlexGrid\.VSFlexGridL\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*|.*(?P=v)\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSFlexGrid\.VSFlexGridL\x22|\x27VSFlexGrid\.VSFlexGridL\x27)\s*\)(\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*|.*(?P=n)\s*\.\s*(Text|EditSelText|EditText|CellFontName))\s*=/smi"; metadata:service http; reference:bugtraq,26467; reference:cve,2007-6028; classtype:attempted-user; sid:12735; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ComponentOne FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"C0A63B86-4B21-11d3-BD95-D426EF2C7949"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A63B86-4B21-11d3-BD95-D426EF2C7949\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Text|EditSelText|EditText|CellFontName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A63B86-4B21-11d3-BD95-D426EF2C7949\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Text|EditSelText|EditText|CellFontName))\s*=/si"; metadata:service http; reference:bugtraq,26467; reference:cve,2007-6028; classtype:attempted-user; sid:12733; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL Radio AmpX ActiveX function call access"; flow:to_client,established; file_data; content:"WinAmpX.IWinAmpActiveX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22WinAmpX\.IWinAmpActiveX\x22|\x27WinAmpX\.IWinAmpActiveX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetMetadata|ConvertFile)\s*|.*(?P=v)\s*\.\s*(SetMetadata|ConvertFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WinAmpX\.IWinAmpActiveX\x22|\x27WinAmpX\.IWinAmpActiveX\x27)\s*\)(\s*\.\s*(SetMetadata|ConvertFile)\s*|.*(?P=n)\s*\.\s*(SetMetadata|ConvertFile)\s*)\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26396; reference:bugtraq,35028; reference:cve,2007-5755; classtype:attempted-user; sid:12731; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebEx GPCContainer ActiveX function call access"; flow:to_client,established; file_data; content:"GpcContainer.GpcContainer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22GpcContainer\.GpcContainer\x22|\x27GpcContainer\.GpcContainer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(InitParam|SetParam)\s*|.*(?P=v)\s*\.\s*(InitParam|SetParam)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22GpcContainer\.GpcContainer\x22|\x27GpcContainer\.GpcContainer\x27)\s*\)(\s*\.\s*(InitParam|SetParam)\s*|.*(?P=n)\s*\.\s*(InitParam|SetParam)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26430; reference:cve,2007-6005; classtype:attempted-user; sid:12716; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebEx GPCContainer ActiveX clsid access"; flow:to_client,established; file_data; content:"E06E2E99-0AA1-11D4-ABA6-0060082AA75C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E06E2E99-0AA1-11D4-ABA6-0060082AA75C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InitParam|SetParam)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E06E2E99-0AA1-11D4-ABA6-0060082AA75C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(InitParam|SetParam))\s*\(/si"; metadata:service http; reference:bugtraq,26430; reference:cve,2007-6005; classtype:attempted-user; sid:12714; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GlobalLink ConnectAndEnterRoom ActiveX clsid access"; flow:to_client,established; file_data; content:"AE93C5DF-A990-11D1-AEBD-5254ABDD2B69"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ConnectAndEnterRoom)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ConnectAndEnterRoom))\s*\(/si"; metadata:service http; reference:bugtraq,26244; reference:cve,2007-5722; classtype:attempted-user; sid:12689; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DB Software Laboratory VImpX ActiveX function call access"; flow:to_client,established; file_data; content:"VImpX.VImpAX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VImpX\.VImpAX\x22|\x27VImpX\.VImpAX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VImpX\.VImpAX\x22|\x27VImpX\.VImpAX\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,26064; reference:cve,2007-5445; classtype:attempted-user; sid:12650; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DB Software Laboratory VImpX ActiveX clsid access"; flow:to_client,established; file_data; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7600707B-9F47-416D-8AB5-6FD96EA37968\s*}?\s*(?P=q6)(\s|>)/si"; metadata:service http; reference:bugtraq,26064; reference:cve,2007-5445; classtype:attempted-user; sid:12648; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PBEmail7 ActiveX function call access"; flow:to_client,established; file_data; content:"PBEmail7.EmailSender"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PBEmail7\.EmailSender\x22|\x27PBEmail7\.EmailSender\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveSenderToXML\s*|.*(?P=v)\s*\.\s*SaveSenderToXML\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PBEmail7\.EmailSender\x22|\x27PBEmail7\.EmailSender\x27)\s*\)(\s*\.\s*SaveSenderToXML\s*|.*(?P=n)\s*\.\s*SaveSenderToXML\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,26058; reference:cve,2007-5446; classtype:attempted-user; sid:12646; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PBEmail7 ActiveX clsid access"; flow:to_client,established; file_data; content:"30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*SaveSenderToXML|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.SaveSenderToXML)\s*\(/si"; metadata:service http; reference:bugtraq,26058; reference:cve,2007-5446; classtype:attempted-user; sid:12644; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky Online Scanner KAVWebScan.dll ActiveX function call access"; flow:to_client,established; file_data; content:"kavwebscan.CKAVWebScan"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22kavwebscan\.CKAVWebScan\x22|\x27kavwebscan\.CKAVWebScan\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22kavwebscan\.CKAVWebScan\x22|\x27kavwebscan\.CKAVWebScan\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,26004; reference:cve,2007-3675; classtype:attempted-user; sid:12639; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,26004; reference:cve,2007-3675; classtype:attempted-user; sid:12637; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt"; flow:to_client,established; file_data; content:"PDWizard.PublicTools"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PDWizard\.PublicTools(\.\d)?\x22|\x27PDWizard\.PublicTools(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=v)\s*\.\s*StartProcess\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.PublicTools(\.\d)?\x22|\x27PDWizard\.PublicTools(\.\d)?\x27)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=n)\s*\.\s*StartProcess\s*)/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:12616; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MFC Library ActiveX clsid access"; flow:to_client,established; file_data; content:"F3F381A3-4795-41FF-8190-7AA2A8102F85"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3F381A3-4795-41FF-8190-7AA2A8102F85\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FindFile|ListFiles)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3F381A3-4795-41FF-8190-7AA2A8102F85\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(FindFile|ListFiles))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25697; reference:cve,2007-4916; classtype:attempted-user; sid:12612; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ebCrypt PRNGenerator ActiveX function call access"; flow:to_client,established; file_data; content:"EbCrypt.eb_c_PRNGenerator"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EbCrypt\.eb_c_PRNGenerator\x22|\x27EbCrypt\.eb_c_PRNGenerator\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EbCrypt\.eb_c_PRNGenerator\x22|\x27EbCrypt\.eb_c_PRNGenerator\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25787; reference:cve,2007-5110; classtype:attempted-user; sid:12606; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ebCrypt PRNGenerator ActiveX clsid access"; flow:to_client,established; file_data; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B1E7505E-BBFD-42BF-98C9-602205A1504C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B1E7505E-BBFD-42BF-98C9-602205A1504C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; metadata:service http; reference:bugtraq,25787; reference:cve,2007-5110; classtype:attempted-user; sid:12604; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ebCrypt IncrementalHash ActiveX function call access"; flow:to_client,established; file_data; content:"EbCrypt.eb_c_IncrementalHash"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EbCrypt\.eb_c_IncrementalHash\x22|\x27EbCrypt\.eb_c_IncrementalHash\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddString\s*|.*(?P=v)\s*\.\s*AddString\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EbCrypt\.eb_c_IncrementalHash\x22|\x27EbCrypt\.eb_c_IncrementalHash\x27)\s*\)(\s*\.\s*AddString\s*|.*(?P=n)\s*\.\s*AddString\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25789; reference:cve,2007-5111; classtype:attempted-user; sid:12602; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ebCrypt IncrementalHash ActiveX clsid access"; flow:to_client,established; file_data; content:"3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddString)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddString))\s*\(/si"; metadata:service http; reference:bugtraq,25789; reference:cve,2007-5111; classtype:attempted-user; sid:12600; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Xunlei Web Thunder ActiveX clsid access"; flow:to_client,established; file_data; content:"EEDD6FF9-13DE-496B-9A1C-D78B3215E266"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEDD6FF9-13DE-496B-9A1C-D78B3215E266\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownURL2)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEDD6FF9-13DE-496B-9A1C-D78B3215E266\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownURL2))\s*\(/si"; metadata:service http; reference:bugtraq,25751; reference:cve,2007-5064; classtype:attempted-user; sid:12598; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Messenger CYFT ActiveX function call access"; flow:to_client,established; file_data; content:"ft60.YFT"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ft60\.YFT\x22|\x27ft60\.YFT\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetFile\s*|.*(?P=v)\s*\.\s*GetFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ft60\.YFT\x22|\x27ft60\.YFT\x27)\s*\)(\s*\.\s*GetFile\s*|.*(?P=n)\s*\.\s*GetFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25727; reference:cve,2007-5017; classtype:attempted-user; sid:12478; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Messenger CYFT ActiveX clsid access"; flow:to_client,established; file_data; content:"24F3EAD6-8B87-4C1A-97DA-71C126BDA08F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24F3EAD6-8B87-4C1A-97DA-71C126BDA08F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24F3EAD6-8B87-4C1A-97DA-71C126BDA08F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetFile))\s*\(/si"; metadata:service http; reference:bugtraq,25727; reference:cve,2007-5017; classtype:attempted-user; sid:12476; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start ActiveX function call access"; flow:to_client,established; file_data; content:"JavaWebStart.isInstalled"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22JavaWebStart\.isInstalled\x22|\x27JavaWebStart\.isInstalled\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*dnsResolve\s*|.*(?P=v)\s*\.\s*dnsResolve\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JavaWebStart\.isInstalled\x22|\x27JavaWebStart\.isInstalled\x27)\s*\)(\s*\.\s*dnsResolve\s*|.*(?P=n)\s*\.\s*dnsResolve\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,25734; reference:cve,2007-5019; classtype:attempted-user; sid:12474; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS COWON America JetAudio JetFlExt.dll ActiveX function call access"; flow:to_client,established; file_data; content:"JetAudio.Interface"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22JetAudio\.Interface\x22|\x27JetAudio\.Interface\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JetAudio\.Interface\x22|\x27JetAudio\.Interface\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,25723; reference:cve,2007-4983; classtype:attempted-user; sid:12470; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS COWON America JetAudio JetFlExt.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"8D1636FD-CA49-4B4E-90E4-0A20E03A15E8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D1636FD-CA49-4B4E-90E4-0A20E03A15E8\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,25723; reference:cve,2007-4983; classtype:attempted-user; sid:12468; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies QRCode ActiveX clsid access"; flow:to_client,established; file_data; content:"3BB56637-651D-4D1D-AFA4-C0506F57EAF8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BB56637-651D-4D1D-AFA4-C0506F57EAF8\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(SaveAsBMP|SaveAsWMF)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BB56637-651D-4D1D-AFA4-C0506F57EAF8\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(SaveAsBMP|SaveAsWMF))\s*\(/siO"; metadata:service http; reference:bugtraq,25702; reference:cve,2007-4982; classtype:attempted-user; sid:12466; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"7EEA39E3-41D1-11D2-AB3B-00AA00BDD685"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EEA39E3-41D1-11D2-AB3B-00AA00BDD685\s*}?\s*(?P=q4)(\s|>)/si"; metadata:service http; reference:bugtraq,25635; reference:cve,2007-4890; classtype:attempted-user; sid:12461; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Agent File Provider ActiveX clsid access"; flow:to_client,established; file_data; content:"D45FD300-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD300-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Characters\.Load)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD300-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(Characters\.Load))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25566; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-051; classtype:attempted-user; sid:12452; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Agent Control ActiveX function call access"; flow:to_client,established; file_data; content:"Agent.Control"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Agent\.Control\.\d+\x22|\x27Agent\.Control\.\d+\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Characters\.Load\s*|.*(?P=v)\s*\.\s*Characters\.Load\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\.\d+\x22|\x27Agent\.Control\.\d+\x27)\s*\)(\s*\.\s*Characters\.Load\s*|.*(?P=n)\s*\.\s*Characters\.Load\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25566; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-051; classtype:attempted-user; sid:12450; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft SQL Server Distributed Management Objects ActiveX function call access"; flow:to_client,established; file_data; content:"SQLDMO.SQLServer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SQLDMO\.SQLServer\x22|\x27SQLDMO\.SQLServer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Start\s*|.*(?P=v)\s*\.\s*Start\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SQLDMO\.SQLServer\x22|\x27SQLDMO\.SQLServer\x27)\s*\)(\s*\.\s*Start\s*|.*(?P=n)\s*\.\s*Start\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:12446; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft SQL Server Distributed Management Objects ActiveX clsid access"; flow:to_client,established; file_data; content:"10020200-E260-11CF-AE68-00AA004A34D5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*10020200-E260-11CF-AE68-00AA004A34D5\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(Start)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*10020200-E260-11CF-AE68-00AA004A34D5\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(Start))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:12444; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Crypto Component CryptoX.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; metadata:service http; reference:bugtraq,25611; reference:cve,2007-4902; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12442; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Crypto Component CryptoX.dll ActiveX function call access"; flow:to_client,established; file_data; content:"CryptoX.CryptoObj"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CryptoX\.CryptoObj\x22|\x27CryptoX\.CryptoObj\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AcquireContext\s*|.*(?P=v)\s*\.\s*AcquireContext\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CryptoX\.CryptoObj\x22|\x27CryptoX\.CryptoObj\x27)\s*\)(\s*\.\s*AcquireContext\s*|.*(?P=n)\s*\.\s*AcquireContext\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25609; reference:cve,2007-4903; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12440; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Crypto Component CryptoX.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"09C282FE-7DE7-4697-9BE2-1C4F4DA825B3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*09C282FE-7DE7-4697-9BE2-1C4F4DA825B3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AcquireContext)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*09C282FE-7DE7-4697-9BE2-1C4F4DA825B3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AcquireContext))\s*\(/si"; metadata:service http; reference:bugtraq,25609; reference:cve,2007-4903; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12438; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BaoFeng Storm MPS.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(advancedOpen|backImage|isDVDPath|rawParse|titleImage|URL|OnBeforeVideoDownload)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(advancedOpen|backImage|isDVDPath|rawParse|titleImage|URL|OnBeforeVideoDownload))\s*\(/siO"; metadata:service http; reference:bugtraq,25601; reference:cve,2007-4816; reference:cve,2009-1612; classtype:attempted-user; sid:12434; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EDraw Office Viewer Component ActiveX function call access"; flow:to_client,established; file_data; content:"EDraw.OfficeViewer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EDraw\.OfficeViewer\x22|\x27EDraw\.OfficeViewer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*|.*(?P=v)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EDraw\.OfficeViewer\x22|\x27EDraw\.OfficeViewer\x27)\s*\)(\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*|.*(?P=n)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25344; reference:bugtraq,25593; reference:bugtraq,25892; reference:cve,2007-3169; reference:cve,2007-4420; reference:cve,2007-4821; classtype:attempted-user; sid:12432; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EDraw Office Viewer Component ActiveX clsid access"; flow:to_client,established; file_data; content:"6BA21C22-53A5-463F-BBE8-5CF7FFA0132B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BA21C22-53A5-463F-BBE8-5CF7FFA0132B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BA21C22-53A5-463F-BBE8-5CF7FFA0132B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile))\s*\(/si"; metadata:service http; reference:bugtraq,25344; reference:bugtraq,25593; reference:bugtraq,25892; reference:cve,2007-3169; reference:cve,2007-4420; reference:cve,2007-4821; classtype:attempted-user; sid:12430; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GlobalLink glitemflat.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetClientInfo)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetClientInfo))\s*\(/si"; metadata:service http; reference:bugtraq,25586; reference:cve,2007-4802; classtype:attempted-user; sid:12428; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX function call access"; flow:to_client,established; file_data; content:"fpolectl.fpolectl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22fpolectl\.fpolectl\x22|\x27fpolectl\.fpolectl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FoxDoCmd\s*|.*(?P=v)\s*\.\s*FoxDoCmd\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22fpolectl\.fpolectl\x22|\x27fpolectl\.fpolectl\x27)\s*\)(\s*\.\s*FoxDoCmd\s*|.*(?P=n)\s*\.\s*FoxDoCmd\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; classtype:attempted-user; sid:12419; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access"; flow:to_client,established; file_data; content:"EF28418F-FFB2-11D0-861A-00A0C903A97F"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; classtype:attempted-user; sid:12417; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Earth Resource Mapper NCSView ActiveX function call access"; flow:to_client,established; file_data; content:"NCSViewManager.NCSView"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCSViewManager\.NCSView\x22|\x27NCSViewManager\.NCSView\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCSViewManager\.NCSView\x22|\x27NCSViewManager\.NCSView\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,25584; reference:cve,2007-4470; classtype:attempted-user; sid:12415; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Earth Resource Mapper NCSView ActiveX clsid access"; flow:to_client,established; file_data; content:"8EC18CE2-D7B4-11D2-88C8-006008A717FD"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8EC18CE2-D7B4-11D2-88C8-006008A717FD\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,25584; reference:cve,2007-4470; classtype:attempted-user; sid:12413; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 10 ActiveX clsid access"; flow:to_client,established; file_data; content:"40F8967E-34A6-474a-837A-CEC1E7DAC54C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*40F8967E-34A6-474a-837A-CEC1E7DAC54C\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*40F8967E-34A6-474a-837A-CEC1E7DAC54C\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12411; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"8CE3BAE6-AB66-40b6-9019-41E5282FF1E2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m19)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CE3BAE6-AB66-40b6-9019-41E5282FF1E2\s*}?\s*(?P=q28)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CE3BAE6-AB66-40b6-9019-41E5282FF1E2\s*}?\s*(?P=q29)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m20)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12409; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 8 ActiveX clsid access"; flow:to_client,established; file_data; content:"D92D7607-05D9-4dd8-B68B-D458948FB883"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D92D7607-05D9-4dd8-B68B-D458948FB883\s*}?\s*(?P=q25)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D92D7607-05D9-4dd8-B68B-D458948FB883\s*}?\s*(?P=q26)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m18)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12407; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"0D3983A9-4E29-4f33-8313-DA22B29D3F87"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D3983A9-4E29-4f33-8313-DA22B29D3F87\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D3983A9-4E29-4f33-8313-DA22B29D3F87\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m16)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12405; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"A80D199B-CFDD-4da4-8C47-2310D5B8DD97"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A80D199B-CFDD-4da4-8C47-2310D5B8DD97\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A80D199B-CFDD-4da4-8C47-2310D5B8DD97\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12403; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 5 ActiveX clsid access"; flow:to_client,established; file_data; content:"DBB177CC-6908-4b53-9BEE-F1C697818D65"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DBB177CC-6908-4b53-9BEE-F1C697818D65\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DBB177CC-6908-4b53-9BEE-F1C697818D65\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12401; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 4 ActiveX clsid access"; flow:to_client,established; file_data; content:"2CC3D8DE-18BF-43ff-8CB8-21B442300FD5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CC3D8DE-18BF-43ff-8CB8-21B442300FD5\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CC3D8DE-18BF-43ff-8CB8-21B442300FD5\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12399; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"2EFF8C97-F2A8-4395-9F47-9A06F998BF88"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2EFF8C97-F2A8-4395-9F47-9A06F998BF88\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2EFF8C97-F2A8-4395-9F47-9A06F998BF88\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12397; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"4F720B9C-24B1-4948-A035-8853DC01F19E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4F720B9C-24B1-4948-A035-8853DC01F19E\s*}?\s*(?P=q7)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4F720B9C-24B1-4948-A035-8853DC01F19E\s*}?\s*(?P=q8)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12395; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Intuit QuickBooks Online Edition 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:service http; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12393; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PPStream PowerPlayer ActiveX clsid access"; flow:to_client,established; file_data; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EC7C511-CD0F-42E6-830C-1BD9882F3458\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Logo)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EC7C511-CD0F-42E6-830C-1BD9882F3458\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Logo))\s*=/si"; metadata:service http; reference:bugtraq,25502; reference:cve,2007-4748; classtype:attempted-user; sid:12388; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Messenger YVerInfo ActiveX function call access"; flow:to_client,established; file_data; content:"YVerInfo.GetInfo"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YVerInfo\.GetInfo\x22|\x27YVerInfo\.GetInfo\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(fvCom|info)\s*|.*(?P=v)\s*\.\s*(fvCom|info)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YVerInfo\.GetInfo\x22|\x27YVerInfo\.GetInfo\x27)\s*\)(\s*\.\s*(fvCom|info)\s*|.*(?P=n)\s*\.\s*(fvCom|info)\s*)\s*\(/siO"; metadata:service http; reference:bugtraq,25494; reference:cve,2007-4515; reference:url,messenger.yahoo.com/security_update.php?id=082907; classtype:attempted-user; sid:12386; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Messenger YVerInfo ActiveX clsid access"; flow:to_client,established; file_data; content:"D5184A39-CBDF-4A4F-AC1A-7A45A852C883"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D5184A39-CBDF-4A4F-AC1A-7A45A852C883\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(fvCom|info)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D5184A39-CBDF-4A4F-AC1A-7A45A852C883\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(fvCom|info))\s*\(/siO"; metadata:service http; reference:bugtraq,25494; reference:cve,2007-4515; reference:url,messenger.yahoo.com/security_update.php?id=082907; classtype:attempted-user; sid:12384; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access"; flow:to_client,established; file_data; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SubmitToExpress|AddAttachment)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SubmitToExpress|AddAttachment))/siO"; metadata:service http; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:12382; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle JInitiator ActiveX clsid access"; flow:to_client,established; file_data; content:"9b935470-ad4a-11d5-b63e-00c04faedb18"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9b935470-ad4a-11d5-b63e-00c04faedb18\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,25473; reference:cve,2007-4467; classtype:attempted-user; sid:12380; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS eCentrex VOIP Client Module ActiveX clsid access"; flow:to_client,established; file_data; content:"BD80D375-5439-4D80-B128-DDA5FDC3AE6C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BD80D375-5439-4D80-B128-DDA5FDC3AE6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ReInit)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BD80D375-5439-4D80-B128-DDA5FDC3AE6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ReInit))\s*\(/si"; metadata:service http; reference:bugtraq,25383; reference:cve,2007-4489; reference:url,www.e800phone.com; classtype:attempted-user; sid:12301; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 TypeLibInfo ActiveX function call access"; flow:to_client,established; file_data; content:"TLI.TypeLibInfo"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TLI\.TypeLibInfo\x22|\x27TLI\.TypeLibInfo\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.TypeLibInfo\x22|\x27TLI\.TypeLibInfo\x27)\s*\)/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12275; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid access"; flow:to_client,established; file_data; content:"8B217746-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B217746-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q13)(\s|>)/Osi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12273; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 TLIApplication ActiveX function call"; flow:to_client,established; file_data; content:"TLI.TLIApplication"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12270; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 SearchHelper ActiveX function call access"; flow:to_client,established; file_data; content:"TLI.SearchHelper"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TLI\.SearchHelper\x22|\x27TLI\.SearchHelper\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.SearchHelper\x22|\x27TLI\.SearchHelper\x27)\s*\)/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12267; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 SearchHelper ActiveX clsid access"; flow:to_client,established; file_data; content:"8B217752-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B217752-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q5)(\s|>)/Osi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12265; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 PDWizard.File ActiveX function call access"; flow:to_client,established; file_data; content:"PDWizard.File"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PDWizard\.File\x22|\x27PDWizard\.File\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.File\x22|\x27PDWizard\.File\x27)\s*\)/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12263; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 PDWizard.File ActiveX clsid access"; flow:to_client,established; file_data; content:"0DDF3B5C-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3B5C-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12261; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectX Media SDK ActiveX function call access"; flow:to_client,established; file_data; content:"DXSurface.LivePicture.FlashPix"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DXSurface\.LivePicture\.FlashPix\x22|\x27DXSurface\.LivePicture\.FlashPix\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SourceUrl\s*|.*(?P=v)\s*\.\s*SourceUrl\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXSurface\.LivePicture\.FlashPix\x22|\x27DXSurface\.LivePicture\.FlashPix\x27)\s*\)(\s*\.\s*SourceUrl\s*|.*(?P=n)\s*\.\s*SourceUrl)\s*=/smi"; metadata:service http; reference:bugtraq,25279; reference:cve,2007-4336; classtype:attempted-user; sid:12259; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectX Media SDK ActiveX clsid access"; flow:to_client,established; file_data; content:"201EA564-A6F6-11D1-811D-00C04FB6BD36"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201EA564-A6F6-11D1-811D-00C04FB6BD36\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SourceUrl)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201EA564-A6F6-11D1-811D-00C04FB6BD36\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SourceUrl))\s*=/si"; metadata:service http; reference:bugtraq,25279; reference:cve,2007-4336; classtype:attempted-user; sid:12257; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt"; flow:to_client,established; file_data; content:"NavComUI.AxSysListView32OAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12252; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt"; flow:to_client,established; file_data; content:"NavComUI.AxSysListView32"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12248; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0A398EE6-277C-480D-BD4F-3288EA3AB8E2"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12246; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX function call access"; flow:to_client,established; file_data; content:"Caller.CallCode"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Caller\.CallCode\x22|\x27Caller\.CallCode\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*|.*(?P=v)\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Caller\.CallCode\x22|\x27Caller\.CallCode\x27)\s*\)(\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*|.*(?P=n)\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,25050; reference:cve,2007-3302; reference:url,supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp; classtype:attempted-user; sid:12207; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare Vielib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=v)\s*\.\s*StartProcess\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=n)\s*\.\s*StartProcess\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25118; reference:cve,2007-4058; classtype:attempted-user; sid:12205; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare IntraProcessLogging ActiveX clsid access"; flow:to_client,established; file_data; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetLogFileName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetLogFileName))\s*\(/si"; metadata:service http; reference:bugtraq,25110; reference:cve,2007-4059; classtype:attempted-user; sid:12200; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Widgets Engine ActiveX function call access"; flow:to_client,established; file_data; content:"YDPCTL.YDPControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YDPCTL\.YDPControl\x22|\x27YDPCTL\.YDPControl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetComponentVersion\s*|.*(?P=v)\s*\.\s*GetComponentVersion\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YDPCTL\.YDPControl\x22|\x27YDPCTL\.YDPControl\x27)\s*\)(\s*\.\s*GetComponentVersion\s*|.*(?P=n)\s*\.\s*GetComponentVersion\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25086; reference:cve,2007-4034; reference:url,help.yahoo.com/l/us/yahoo/widgets/security/security-08.html; classtype:attempted-user; sid:12195; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Clever Internet Suite ActiveX function call access"; flow:to_client,established; file_data; content:"clInetSuiteX6.clWebDav"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22clInetSuiteX6\.clWebDav\x22|\x27clInetSuiteX6\.clWebDav\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetToFile\s*|.*(?P=v)\s*\.\s*GetToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22clInetSuiteX6\.clWebDav\x22|\x27clInetSuiteX6\.clWebDav\x27)\s*\)(\s*\.\s*GetToFile\s*|.*(?P=n)\s*\.\s*GetToFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25063; reference:cve,2007-4067; classtype:attempted-user; sid:12191; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Clever Internet Suite ActiveX clsid access"; flow:to_client,established; file_data; content:"E8F92847-7C21-452B-91A5-49D93AA18F30"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E8F92847-7C21-452B-91A5-49D93AA18F30\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E8F92847-7C21-452B-91A5-49D93AA18F30\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetToFile))\s*\(/si"; metadata:service http; reference:bugtraq,25063; reference:cve,2007-4067; classtype:attempted-user; sid:12189; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"41266C21-18D8-414B-88C0-8DCA6C25CEA0"; fast_pattern:only; metadata:service http; reference:bugtraq,25050; reference:cve,2007-3302; reference:url,supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp; classtype:attempted-user; sid:12168; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Zenturi ProgramChecker SASATL ActiveX function call access"; flow:to_client,established; file_data; content:"SafeAndSoundATL.NixonMyPrograms"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SafeAndSoundATL\.NixonMyPrograms\x22|\x27SafeAndSoundATL\.NixonMyPrograms\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Scan\s*|.*(?P=v)\s*\.\s*Scan\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SafeAndSoundATL\.NixonMyPrograms\x22|\x27SafeAndSoundATL\.NixonMyPrograms\x27)\s*\)(\s*\.\s*Scan\s*|.*(?P=n)\s*\.\s*Scan\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,25025; reference:cve,2007-3984; classtype:attempted-user; sid:12118; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Zenturi ProgramChecker SASATL ActiveX clsid access"; flow:to_client,established; file_data; content:"6754F588-E262-42D2-A6BC-3BB400ACFEED"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6754F588-E262-42D2-A6BC-3BB400ACFEED\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Scan)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6754F588-E262-42D2-A6BC-3BB400ACFEED\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Scan))\s*\(/si"; metadata:service http; reference:bugtraq,25025; reference:cve,2007-3984; classtype:attempted-user; sid:12116; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EldoS SecureBlackbox PGPBBox ActiveX function call access"; flow:to_client,established; file_data; content:"pgpbbox.ElPGPJpegImageX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22pgpbbox\.ElPGPJpegImageX\x22|\x27pgpbbox\.ElPGPJpegImageX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22pgpbbox\.ElPGPJpegImageX\x22|\x27pgpbbox\.ElPGPJpegImageX\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24882; reference:cve,2007-3785; classtype:attempted-user; sid:12093; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EldoS SecureBlackbox PGPBBox ActiveX clsid access"; flow:to_client,established; file_data; content:"C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; metadata:service http; reference:bugtraq,24882; reference:cve,2007-3785; classtype:attempted-user; sid:12091; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee NeoTrace ActiveX function call access"; flow:to_client,established; file_data; content:"NeoTraceExplorer.NeoTraceLoader"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NeoTraceExplorer\.NeoTraceLoader\x22|\x27NeoTraceExplorer\.NeoTraceLoader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TraceTarget\s*|.*(?P=v)\s*\.\s*TraceTarget\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NeoTraceExplorer\.NeoTraceLoader\x22|\x27NeoTraceExplorer\.NeoTraceLoader\x27)\s*\)(\s*\.\s*TraceTarget\s*|.*(?P=n)\s*\.\s*TraceTarget\s*)\s*\(/siO"; metadata:service http; reference:bugtraq,21697; reference:cve,2006-6707; classtype:attempted-user; sid:12089; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee NeoTrace ActiveX clsid access"; flow:to_client,established; file_data; content:"3E1DD897-F300-486C-BEAF-711183773554"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3E1DD897-F300-486C-BEAF-711183773554\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(TraceTarget)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3E1DD897-F300-486C-BEAF-711183773554\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(TraceTarget))\s*\(/siO"; metadata:service http; reference:bugtraq,21697; reference:cve,2006-6707; classtype:attempted-user; sid:12087; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar Actbar3 ActiveX function call access"; flow:to_client,established; file_data; content:"ActiveBar3Library.ActiveBar3"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ActiveBar3Library\.ActiveBar3\x22|\x27ActiveBar3Library\.ActiveBar3\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*|.*(?P=v)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ActiveBar3Library\.ActiveBar3\x22|\x27ActiveBar3Library\.ActiveBar3\x27)\s*\)(\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*|.*(?P=n)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:12085; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar Actbar3 ActiveX clsid access"; flow:to_client,established; file_data; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5407153D-022F-4CD2-8BFF-465569BC5DB8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5407153D-022F-4CD2-8BFF-465569BC5DB8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Save|SaveLayoutChanges|SaveMenuUsageData))\s*\(/si"; metadata:service http; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:12083; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Instant Support ActiveX clsid access"; flow:to_client,established; file_data; content:"156BF4B7-AE3A-4365-BD88-95A75AF8F09D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*156BF4B7-AE3A-4365-BD88-95A75AF8F09D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(queryHub)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*156BF4B7-AE3A-4365-BD88-95A75AF8F09D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(queryHub))\s*=/si"; metadata:service http; reference:bugtraq,24730; reference:cve,2007-3554; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; classtype:attempted-user; sid:12062; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Digital Imaging hpqxml.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"9C0A0321-B328-466C-8ECA-B9A5522466D3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9C0A0321-B328-466C-8ECA-B9A5522466D3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(saveXMLAsFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9C0A0321-B328-466C-8ECA-B9A5522466D3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(saveXMLAsFile))\s*\(/si"; metadata:service http; reference:bugtraq,24678; reference:cve,2007-3487; reference:url,www.securityfocus.com/archive/1/472384; classtype:attempted-user; sid:12029; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call access"; flow:to_client,established; file_data; content:"NCTWMAFile2.WMAFile2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCTWMAFile2\.WMAFile2\x22|\x27NCTWMAFile2\.WMAFile2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=v)\s*\.\s*CreateFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTWMAFile2\.WMAFile2\x22|\x27NCTWMAFile2\.WMAFile2\x27)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=n)\s*\.\s*CreateFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24613; reference:cve,2007-3400; reference:url,nctsoft.com/products/NCTAudioEditor2/; classtype:attempted-user; sid:12021; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid access"; flow:to_client,established; file_data; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6ED74AE3-8066-4385-AABA-243E033F75A3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6ED74AE3-8066-4385-AABA-243E033F75A3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(CreateFile))\s*\(/si"; metadata:service http; reference:bugtraq,24613; reference:cve,2007-3400; reference:url,nctsoft.com/products/NCTAudioEditor2/; classtype:attempted-user; sid:12019; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioStudio2 NCT WavChunksEditor ActiveX function call access"; flow:to_client,established; file_data; content:"NCTWavChunksEditor2.WavChunksEditor2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCTWavChunksEditor2\.WavChunksEditor2\x22|\x27NCTWavChunksEditor2\.WavChunksEditor2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=v)\s*\.\s*CreateFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTWavChunksEditor2\.WavChunksEditor2\x22|\x27NCTWavChunksEditor2\.WavChunksEditor2\x27)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=n)\s*\.\s*CreateFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24656; reference:cve,2007-3493; reference:url,nctsoft.com/products/NCTAudioStudio2/; classtype:attempted-user; sid:12017; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid access"; flow:to_client,established; file_data; content:"A77849B6-6125-4466-88DC-4855C014A0C4"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A77849B6-6125-4466-88DC-4855C014A0C4\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A77849B6-6125-4466-88DC-4855C014A0C4\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(CreateFile))\s*\(/si"; metadata:service http; reference:bugtraq,24656; reference:cve,2007-3493; reference:url,nctsoft.com/products/NCTAudioStudio2/; classtype:attempted-user; sid:12015; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RKD Software BarCode ActiveX function call access"; flow:to_client,established; file_data; content:"ABarCode.ActiveBC"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ABarCode\.ActiveBC\x22|\x27ABarCode\.ActiveBC\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BeginPrint\s*|.*(?P=v)\s*\.\s*BeginPrint\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ABarCode\.ActiveBC\x22|\x27ABarCode\.ActiveBC\x27)\s*\)(\s*\.\s*BeginPrint\s*|.*(?P=n)\s*\.\s*BeginPrint\s*)\s*\(/siO"; metadata:service http; reference:bugtraq,24596; reference:cve,2007-3435; classtype:attempted-user; sid:12012; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RKD Software BarCode ActiveX clsid access"; flow:to_client,established; file_data; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BeginPrint)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(BeginPrint))\s*\(/siO"; metadata:service http; reference:bugtraq,24596; reference:cve,2007-3435; classtype:attempted-user; sid:12010; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP ModemUtil ActiveX clsid access"; flow:to_client,established; file_data; content:"C6A96E83-F5AF-4BD4-9BDD-7B18444F814F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6A96E83-F5AF-4BD4-9BDD-7B18444F814F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DialNumber)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6A96E83-F5AF-4BD4-9BDD-7B18444F814F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DialNumber))\s*\(/si"; metadata:service http; classtype:attempted-user; sid:11943; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Westbyte internet download accelerator ActiveX clsid access"; flow:to_client,established; file_data; content:"2A646672-9C3A-4C28-9A7A-1FB0F63F28B6"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A646672-9C3A-4C28-9A7A-1FB0F63F28B6\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,24400; reference:cve,2007-3162; classtype:attempted-user; sid:11942; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Westbyte Internet Download Accelerator ActiveX function call access"; flow:to_client,established; file_data; content:"idaiehlp.IDAIEHelper"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22idaiehlp\.IDAIEHelper\x22|\x27idaiehlp\.IDAIEHelper\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22idaiehlp\.IDAIEHelper\x22|\x27idaiehlp\.IDAIEHelper\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,24400; reference:cve,2007-3162; classtype:attempted-user; sid:11940; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TEC-IT TBarCode ActiveX function call access"; flow:to_client,established; file_data; content:"TBarCode7.TBarCode7"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TBarCode7\.TBarCode7\x22|\x27TBarCode7\.TBarCode7\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveImage\s*|.*(?P=v)\s*\.\s*SaveImage\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TBarCode7\.TBarCode7\x22|\x27TBarCode7\.TBarCode7\x27)\s*\)(\s*\.\s*SaveImage\s*|.*(?P=n)\s*\.\s*SaveImage\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24440; reference:cve,2007-3233; classtype:attempted-user; sid:11841; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TEC-IT TBarCode ActiveX clsid access"; flow:to_client,established; file_data; content:"D8541765-F6D2-4EE1-AEAA-4016BE1D9859"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8541765-F6D2-4EE1-AEAA-4016BE1D9859\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveImage)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8541765-F6D2-4EE1-AEAA-4016BE1D9859\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveImage))\s*\(/si"; metadata:service http; reference:bugtraq,24440; reference:cve,2007-3233; classtype:attempted-user; sid:11839; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX function call access"; flow:to_client,established; file_data; content:"DirectSR.DirectSR"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DirectSR\.DirectSR\x22|\x27DirectSR\.DirectSR\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Find\s*|.*(?P=v)\s*\.\s*Find\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectSR\.DirectSR\x22|\x27DirectSR\.DirectSR\x27)\s*\)(\s*\.\s*Find\s*|.*(?P=n)\s*\.\s*Find\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11832; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Voice Control ActiveX function call access"; flow:to_client,established; file_data; content:"DirectSS.DirectSS"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DirectSS\.DirectSS\x22|\x27DirectSS\.DirectSS\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Find\s*|.*(?P=v)\s*\.\s*Find\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectSS\.DirectSS\x22|\x27DirectSS\.DirectSS\x27)\s*\)(\s*\.\s*Find\s*|.*(?P=n)\s*\.\s*Find\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11828; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call unicode access"; flow:to_client,established; file_data; content:"Y|00|W|00|c|00|U|00|p|00|l|00|.|00|W|00|c|00|U|00|p|00|l|00|o|00|a|00|d|00|"; fast_pattern:only; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00W\x00c\x00U\x00p\x00l\x00.\x00W\x00c\x00U\x00p\x00l\x00o\x00a\x00d\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00W\x00c\x00U\x00p\x00l\x00.\x00W\x00c\x00U\x00p\x00l\x00o\x00a\x00d\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24341; reference:cve,2007-3147; classtype:attempted-user; sid:11825; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access"; flow:to_client,established; content:"YWcUpl.WcUpload"; fast_pattern:only; file_data; pcre:"/(?P\w+)\s*=\s*(\x22YWcUpl\.WcUpload\x22|\x27YWcUpl\.WcUpload\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*server\s*|.*(?P=v)\s*\.\s*server\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YWcUpl\.WcUpload\x22|\x27YWcUpl\.WcUpload\x27)\s*\)(\s*\.\s*server\s*|.*(?P=n)\s*\.\s*server)\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24341; reference:cve,2007-3147; classtype:attempted-user; sid:11824; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid unicode access"; flow:to_client,established; file_data; content:"D|00|C|00|E|00|2|00|F|00|8|00|B|00|1|00|-|00|A|00|5|00|2|00|0|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|F|00|D|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|7|00|3|00|0|00|2|00|7|00|7|00|"; fast_pattern:only; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24341; reference:cve,2007-3147; classtype:attempted-user; sid:11823; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Viewer Wrapper ActiveX function call access"; flow:to_client,established; file_data; content:"YWcVwr.WcViewer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YWcVwr\.WcViewer\x22|\x27YWcVwr\.WcViewer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*server\s*|.*(?P=v)\s*\.\s*server\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YWcVwr\.WcViewer\x22|\x27YWcVwr\.WcViewer\x27)\s*\)(\s*\.\s*server\s*|.*(?P=n)\s*\.\s*server)\s*=/smi"; metadata:service http; reference:bugtraq,24341; reference:cve,2007-3148; reference:url,www.frsirt.com/english/advisories/2007/2094; classtype:attempted-user; sid:11820; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Viewer Wrapper ActiveX clsid access"; flow:to_client,established; file_data; content:"9D39223E-AE8E-11D4-8FD3-00D0B7730277"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9D39223E-AE8E-11D4-8FD3-00D0B7730277\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(server)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9D39223E-AE8E-11D4-8FD3-00D0B7730277\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(server))\s*=/si"; metadata:service http; reference:bugtraq,24341; reference:cve,2007-3148; reference:url,www.frsirt.com/english/advisories/2007/2094; classtype:attempted-user; sid:11818; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Provideo Camimage Class ISSCamControl ActiveX clsid access"; flow:to_client,established; file_data; content:"AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(URL)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(URL))\s*=/si"; metadata:service http; reference:bugtraq,24279; reference:cve,2007-3111; classtype:attempted-user; sid:11677; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Zenturi ProgramChecker ActiveX function call access"; flow:to_client,established; file_data; content:"SafeAndSoundATL.NixonConfigMgrEx"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*|.*(?P=v)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\)(\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*|.*(?P=n)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*)\s*\(/siO"; metadata:service http; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3703; classtype:attempted-user; sid:11675; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Zenturi ProgramChecker ActiveX clsid access"; flow:to_client,established; file_data; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(Fill|DebugMsgLog|DownloadFile))\s*\(/siO"; metadata:service http; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3703; classtype:attempted-user; sid:11673; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EDraw Office Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"EDrawOfficeViewer.EDrawOfficeViewerCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x22|\x27EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*|.*(?P=v)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x22|\x27EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x27)\s*\)(\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*|.*(?P=n)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24229; reference:bugtraq,24230; reference:cve,2007-3168; reference:cve,2007-3169; reference:url,moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html; reference:url,moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html; classtype:attempted-user; sid:11662; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EDraw Office Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"053AFEBA-D968-435F-B557-19FF76372B1B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*053AFEBA-D968-435F-B557-19FF76372B1B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*053AFEBA-D968-435F-B557-19FF76372B1B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteLocalFile|HttpDownloadFile))\s*\(/si"; metadata:service http; reference:bugtraq,24229; reference:bugtraq,24230; reference:cve,2007-3168; reference:cve,2007-3169; reference:url,moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html; reference:url,moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html; classtype:attempted-user; sid:11660; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Dart ZipLite Compression ActiveX clsid access"; flow:to_client,established; file_data; content:"42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(QuickZip)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(QuickZip))\s*\(/si"; metadata:service http; reference:bugtraq,24099; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-bonus-dart-ziplite-compression.html; classtype:attempted-user; sid:11658; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Thumbnail Browser Control ActiveX function call access"; flow:to_client,established; file_data; content:"LEADThumb.LEADThumb"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADThumb\.LEADThumb\x22|\x27LEADThumb\.LEADThumb\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=v)\s*\.\s*BrowseDir\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADThumb\.LEADThumb\x22|\x27LEADThumb\.LEADThumb\x27)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=n)\s*\.\s*BrowseDir\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24053; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html; classtype:attempted-user; sid:11656; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Thumbnail Browser Control ActiveX clsid access"; flow:to_client,established; file_data; content:"00140200-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140200-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q41)(\s|>).*(?P=id1)\s*\.\s*(BrowseDir)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140200-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q42)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m18)(\s|>).*(?P=id2)\.(BrowseDir))\s*\(/si"; metadata:service http; reference:bugtraq,24053; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html; classtype:attempted-user; sid:11654; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Variant Object Library ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterVariant.LEADRasterVariant"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*WriteDataToFile\s*|.*(?P=v)\s*\.\s*WriteDataToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\)(\s*\.\s*WriteDataToFile\s*|.*(?P=n)\s*\.\s*WriteDataToFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24075; reference:cve,2007-2851; reference:url,moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html; classtype:attempted-user; sid:11652; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Variant Object Library ActiveX clsid access"; flow:to_client,established; file_data; content:"00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q36)(\s|>).*(?P=id1)\s*\.\s*(WriteDataToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q37)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m16)(\s|>).*(?P=id2)\.(WriteDataToFile))\s*\(/si"; metadata:service http; reference:bugtraq,24075; reference:cve,2007-2851; reference:url,moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html; classtype:attempted-user; sid:11650; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Thumbnail Object Library ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterThumbnail.LEADRasterThumbnail"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterThumbnail\.LEADRasterThumbnail\x22|\x27LEADRasterThumbnail\.LEADRasterThumbnail\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=v)\s*\.\s*BrowseDir\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterThumbnail\.LEADRasterThumbnail\x22|\x27LEADRasterThumbnail\.LEADRasterThumbnail\x27)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=n)\s*\.\s*BrowseDir\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,24057; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html; classtype:attempted-user; sid:11648; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Thumbnail Object Library ActiveX clsid access"; flow:to_client,established; file_data; content:"00140780-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140780-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q31)(\s|>).*(?P=id1)\s*\.\s*(BrowseDir)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140780-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q32)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\.(BrowseDir))\s*\(/si"; metadata:service http; reference:bugtraq,24057; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html; classtype:attempted-user; sid:11646; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster ISIS Object ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterISIS.LeadRasterISIS"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterISIS\.LeadRasterISIS\x22|\x27LEADRasterISIS\.LeadRasterISIS\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DriverName\s*|.*(?P=v)\s*\.\s*DriverName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterISIS\.LeadRasterISIS\x22|\x27LEADRasterISIS\.LeadRasterISIS\x27)\s*\)(\s*\.\s*DriverName\s*|.*(?P=n)\s*\.\s*DriverName)\s*=/smi"; metadata:service http; reference:bugtraq,24193; reference:cve,2007-2980; reference:url,moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html; classtype:attempted-user; sid:11644; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster ISIS Object ActiveX clsid access"; flow:to_client,established; file_data; content:"00140797-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140797-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q26)(\s|>).*(?P=id1)\s*\.\s*(DriverName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140797-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q27)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\s*\.\s*(DriverName))\s*=/si"; metadata:service http; reference:bugtraq,24193; reference:cve,2007-2980; reference:url,moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html; classtype:attempted-user; sid:11642; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Document Object Library ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterDocument.LEADRasterDocument"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DictionaryFileName\s*|.*(?P=v)\s*\.\s*DictionaryFileName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\)(\s*\.\s*DictionaryFileName\s*|.*(?P=n)\s*\.\s*DictionaryFileName)\s*=/smi"; metadata:service http; reference:bugtraq,24179; reference:cve,2007-2981; reference:url,moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html; classtype:attempted-user; sid:11640; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Document Object Library ActiveX clsid access"; flow:to_client,established; file_data; content:"00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(DictionaryFileName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\s*\.\s*(DictionaryFileName))\s*=/si"; metadata:service http; reference:bugtraq,24179; reference:cve,2007-2981; reference:url,moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html; classtype:attempted-user; sid:11638; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Dialog File_D Object ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterDocument.LEADRasterDocument"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DestinationPath\s*|.*(?P=v)\s*\.\s*DestinationPath\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\)(\s*\.\s*DestinationPath\s*|.*(?P=n)\s*\.\s*DestinationPath)\s*=/smi"; metadata:service http; reference:bugtraq,24153; reference:cve,2007-2946; reference:url,moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html; classtype:attempted-user; sid:11636; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Dialog File_D Object ActiveX clsid access"; flow:to_client,established; file_data; content:"00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(DestinationPath)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(DestinationPath))\s*=/si"; metadata:service http; reference:bugtraq,24153; reference:cve,2007-2946; reference:url,moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html; classtype:attempted-user; sid:11634; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Dialog File Object ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterDlgFile.LEADRasterDlgFile"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterDlgFile\.LEADRasterDlgFile\x22|\x27LEADRasterDlgFile\.LEADRasterDlgFile\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Directory\s*|.*(?P=v)\s*\.\s*Directory\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDlgFile\.LEADRasterDlgFile\x22|\x27LEADRasterDlgFile\.LEADRasterDlgFile\x27)\s*\)(\s*\.\s*Directory\s*|.*(?P=n)\s*\.\s*Directory)\s*=/smi"; metadata:service http; reference:bugtraq,24133; reference:cve,2007-2895; reference:url,moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html; classtype:attempted-user; sid:11632; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools Raster Dialog File Object ActiveX clsid access"; flow:to_client,established; file_data; content:"00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(Directory)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(Directory))\s*=/si"; metadata:service http; reference:bugtraq,24133; reference:cve,2007-2895; reference:url,moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html; classtype:attempted-user; sid:11630; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools JPEG 2000 COM Object ActiveX function call access"; flow:to_client,established; file_data; content:"LEADRasterVariant.LEADRasterVariant"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BitmapDataPath\s*|.*(?P=v)\s*\.\s*BitmapDataPath\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\)(\s*\.\s*BitmapDataPath\s*|.*(?P=n)\s*\.\s*BitmapDataPath)\s*=/smi"; metadata:service http; reference:bugtraq,24040; reference:cve,2007-2771; reference:url,moaxb.blogspot.com/2007/05/moaxb-18-leadtools-jpeg-2000-com.html; classtype:attempted-user; sid:11628; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools ISIS ActiveX function call access"; flow:to_client,established; file_data; content:"LEADIsis.LEADIsis"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22LEADIsis\.LEADIsis\x22|\x27LEADIsis\.LEADIsis\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DriverName\s*|.*(?P=v)\s*\.\s*DriverName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADIsis\.LEADIsis\x22|\x27LEADIsis\.LEADIsis\x27)\s*\)(\s*\.\s*DriverName\s*|.*(?P=n)\s*\.\s*DriverName)\s*=/smi"; metadata:service http; reference:bugtraq,24094; reference:cve,2007-2854; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html; classtype:attempted-user; sid:11626; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LeadTools ISIS ActiveX clsid access"; flow:to_client,established; file_data; content:"00140050-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140050-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(DriverName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140050-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(DriverName))\s*=/si"; metadata:service http; reference:bugtraq,24094; reference:cve,2007-2854; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html; classtype:attempted-user; sid:11624; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office 2000 OUACTR ActiveX clsid access"; flow:to_client,established; file_data; content:"8936033C-4A50-11D1-98A4-00A0C90F27C6"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8936033C-4A50-11D1-98A4-00A0C90F27C6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(HelpPopup)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8936033C-4A50-11D1-98A4-00A0C90F27C6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(HelpPopup))\s*\(/si"; metadata:service http; reference:bugtraq,24118; reference:cve,2007-2903; reference:url,moaxb.blogspot.com/2007/05/moaxb-23-microsoft-office-2000.html; classtype:attempted-user; sid:11622; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Chroma ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.Chroma"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DXImageTransform\.Microsoft\.Chroma\x22|\x27DXImageTransform\.Microsoft\.Chroma\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXImageTransform\.Microsoft\.Chroma\x22|\x27DXImageTransform\.Microsoft\.Chroma\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,24188; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:11620; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access"; flow:to_client,established; file_data; content:"ID2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ID2\x22|\x27ID2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ID2\x22|\x27ID2\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.xsec.org/index.php?module=releases&act=view&type=1&id=9; classtype:attempted-user; sid:11324; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DB Software Laboratory DeWizardX ActiveX function call access"; flow:to_client,established; file_data; content:"DEWizardAX.DEWizardX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DEWizardAX\.DEWizardX\x22|\x27DEWizardAX\.DEWizardX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DEWizardAX\.DEWizardX\x22|\x27DEWizardAX\.DEWizardX\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23986; reference:cve,2007-2725; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11303; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DB Software Laboratory DeWizardX ActiveX clsid access"; flow:to_client,established; file_data; content:"90403303-EF21-4771-A41A-651089892EDD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90403303-EF21-4771-A41A-651089892EDD\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90403303-EF21-4771-A41A-651089892EDD\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; metadata:service http; reference:bugtraq,23986; reference:cve,2007-2725; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11301; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Clever Database Comparer ActiveX function call access"; flow:to_client,established; file_data; content:"comparerax.IBDBExtract"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22comparerax\.IBDBExtract\x22|\x27comparerax\.IBDBExtract\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ConnectToDatabase\s*|.*(?P=v)\s*\.\s*ConnectToDatabase\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22comparerax\.IBDBExtract\x22|\x27comparerax\.IBDBExtract\x27)\s*\)(\s*\.\s*ConnectToDatabase\s*|.*(?P=n)\s*\.\s*ConnectToDatabase\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23969; reference:cve,2007-2648; reference:url,moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html; classtype:attempted-user; sid:11299; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Clever Database Comparer ActiveX clsid access"; flow:to_client,established; file_data; content:"24E0CD64-A8DE-4BE4-9706-4CFC89D212C9"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24E0CD64-A8DE-4BE4-9706-4CFC89D212C9\s*}?\s*(?P=q8)(\s|>).*(?P=id1)\s*\.\s*(ConnectToDatabase)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24E0CD64-A8DE-4BE4-9706-4CFC89D212C9\s*}?\s*(?P=q9)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(ConnectToDatabase))\s*\(/si"; metadata:service http; reference:bugtraq,23969; reference:cve,2007-2648; reference:url,moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html; classtype:attempted-user; sid:11297; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation Linear Bar Code ActiveX function call access"; flow:to_client,established; file_data; content:"IDAuto.BarCode"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IDAuto\.BarCode\x22|\x27IDAuto\.BarCode\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveEnhWMF\s*|.*(?P=v)\s*\.\s*SaveEnhWMF\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IDAuto\.BarCode\x22|\x27IDAuto\.BarCode\x27)\s*\)(\s*\.\s*SaveEnhWMF\s*|.*(?P=n)\s*\.\s*SaveEnhWMF\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23954; reference:cve,2007-2658; reference:url,moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html; classtype:attempted-user; sid:11295; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation Linear Bar Code ActiveX clsid access"; flow:to_client,established; file_data; content:"0C3874AA-AB39-4B5E-A768-45F3CE6C6819"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C3874AA-AB39-4B5E-A768-45F3CE6C6819\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SaveEnhWMF)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C3874AA-AB39-4B5E-A768-45F3CE6C6819\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveEnhWMF))\s*\(/si"; metadata:service http; reference:bugtraq,23954; reference:cve,2007-2658; reference:url,moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html; classtype:attempted-user; sid:11293; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Hewlett Packard HPQVWOCX.DL ActiveX clsid access"; flow:to_client,established; file_data; content:"BA726BF9-ED2F-461B-9447-CD5C7D66CE8D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA726BF9-ED2F-461B-9447-CD5C7D66CE8D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteProfile|SaveToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA726BF9-ED2F-461B-9447-CD5C7D66CE8D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteProfile|SaveToFile))\s*\(/si"; metadata:service http; reference:bugtraq,23941; reference:bugtraq,24793; reference:cve,2007-2656; reference:cve,2007-3649; classtype:attempted-user; sid:11291; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AudioCDRipper ActiveX function call access"; flow:to_client,established; file_data; content:"Audio_CD_Ripper_OCX.cAudioCDRipper"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Audio_CD_Ripper_OCX\.cAudioCDRipper\x22|\x27Audio_CD_Ripper_OCX\.cAudioCDRipper\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Audio_CD_Ripper_OCX\.cAudioCDRipper\x22|\x27Audio_CD_Ripper_OCX\.cAudioCDRipper\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23900; reference:cve,2007-2603; classtype:attempted-user; sid:11286; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AudioCDRipper ActiveX clsid access"; flow:to_client,established; file_data; content:"BE604333-B029-44E6-8367-1566B0AD7084"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE604333-B029-44E6-8367-1566B0AD7084\s*}?\s*(?P=q12)(\s|>)/si"; metadata:service http; reference:bugtraq,23900; reference:cve,2007-2603; classtype:attempted-user; sid:11284; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FlexLabel ActiveX function call access"; flow:to_client,established; file_data; content:"FlexLabelControl.FlexLabel"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22FlexLabelControl\.FlexLabel\x22|\x27FlexLabelControl\.FlexLabel\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FlexLabelControl\.FlexLabel\x22|\x27FlexLabelControl\.FlexLabel\x27)\s*\)/smi"; metadata:service http; reference:url,www.securityfocus.com/archive/1/468070; classtype:attempted-user; sid:11282; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FlexLabel ActiveX clsid access"; flow:to_client,established; file_data; content:"584B432E-E0BD-4A78-BD77-665591DA84BB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*584B432E-E0BD-4A78-BD77-665591DA84BB\s*}?\s*(?P=q8)(\s|>)/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/468070; classtype:attempted-user; sid:11280; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GDivX Zenith Player AVI Fixer ActiveX function call access"; flow:to_client,established; file_data; content:"AviFix.AviFixer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AviFix\.AviFixer\x22|\x27AviFix\.AviFixer\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetInputFile\s*|.*(?P=v)\s*\.\s*SetInputFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AviFix\.AviFixer\x22|\x27AviFix\.AviFixer\x27)\s*\)(\s*\.\s*SetInputFile\s*|.*(?P=n)\s*\.\s*SetInputFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23907; reference:cve,2007-2601; classtype:attempted-user; sid:11278; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GDivX Zenith Player AVI Fixer ActiveX clsid access"; flow:to_client,established; file_data; content:"2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SetInputFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetInputFile))\s*\(/si"; metadata:service http; reference:bugtraq,23907; reference:cve,2007-2601; classtype:attempted-user; sid:11276; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RControl ActiveX clsid access"; flow:to_client,established; file_data; content:"2A515FCD-C0E9-4F38-9C77-2949514366F2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A515FCD-C0E9-4F38-9C77-2949514366F2\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,23914; reference:cve,2007-2623; reference:url,moaxb.blogspot.com/2007/05/moaxb-10-rcontroldll-v-1210-denial-of.html; classtype:attempted-user; sid:11274; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton AntiVirus ActiveX function call access"; flow:to_client,established; file_data; content:"Symantec.Norton.AntiVirus.NAVOptions"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Symantec\.Norton\.AntiVirus\.NAVOptions\x22|\x27Symantec\.Norton\.AntiVirus\.NAVOptions\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Symantec\.Norton\.AntiVirus\.NAVOptions\x22|\x27Symantec\.Norton\.AntiVirus\.NAVOptions\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23822; reference:cve,2006-3456; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=529; reference:url,www.symantec.com/avcenter/security/Content/2007.05.09.html; classtype:attempted-user; sid:11270; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton AntiVirus ActiveX clsid access"; flow:to_client,established; file_data; content:"085ABFE2-D753-445C-8A2A-D4BD46CE0811"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*085ABFE2-D753-445C-8A2A-D4BD46CE0811\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,23822; reference:cve,2006-3456; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=529; reference:url,www.symantec.com/avcenter/security/Content/2007.05.09.html; classtype:attempted-user; sid:11268; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BarcodeWiz ActiveX function call access"; flow:to_client,established; file_data; content:"BarcodeWiz.BarcodeWiz"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22BarcodeWiz\.BarcodeWiz(\.\d)?\x22|\x27BarcodeWiz\.BarcodeWiz(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Verify|LoadProperties)\s*|.*(?P=v)\s*\.\s*(Verify|LoadProperties)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BarcodeWiz\.BarcodeWiz(\.\d)?\x22|\x27BarcodeWiz\.BarcodeWiz(\.\d)?\x27)\s*\)(\s*\.\s*(Verify|LoadProperties)\s*|.*(?P=n)\s*\.\s*(Verify|LoadProperties)\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23891; reference:cve,2010-2932; reference:url,moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html; classtype:attempted-user; sid:11261; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BarcodeWiz ActiveX clsid access"; flow:to_client,established; file_data; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(Verify|LoadProperties)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(Verify|LoadProperties))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23891; reference:cve,2010-2932; reference:url,moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html; classtype:attempted-user; sid:11259; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft MciWndx ActiveX function call access"; flow:to_client,established; file_data; content:"MCIWNDX.MCIWndXCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MCIWNDX\.MCIWndXCtrl\x22|\x27MCIWNDX\.MCIWndXCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Filename\s*|.*(?P=v)\s*\.\s*Filename\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MCIWNDX\.MCIWndXCtrl\x22|\x27MCIWNDX\.MCIWndXCtrl\x27)\s*\)(\s*\.\s*Filename\s*|.*(?P=n)\s*\.\s*Filename)\s*=/smi"; metadata:service http; classtype:attempted-user; sid:11255; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft MciWndx ActiveX clsid access"; flow:to_client,established; file_data; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*288F1523-FAC4-11CE-B16F-00AA0060D93D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Filename)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*288F1523-FAC4-11CE-B16F-00AA0060D93D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Filename))\s*=/si"; metadata:service http; classtype:attempted-user; sid:11253; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Address ActiveX clsid access"; flow:to_client,established; file_data; content:"de011590-0531-4804-9c9c-3fedc7e6e5c8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*de011590-0531-4804-9c9c-3fedc7e6e5c8\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,download.microsoft.com/download/2/7/0/270e884a-9ba8-47e9-a732-15caee568f76/AdditionalInfo_KB905915.rtf; reference:url,support.microsoft.com/kb/905915; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-054; classtype:attempted-user; sid:11252; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access"; flow:to_client,established; file_data; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EA7C4C5-C5C0-4F5C-A008-8293505F71CC\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-054; reference:url,wiki.castlecops.com/SONY_XCP_DRM_Rootkit_Detection_and_Removal_Instructions; classtype:attempted-user; sid:11250; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Research In Motion TeamOn Import ActiveX clsid access"; flow:to_client,established; file_data; content:"1D95A7C7-3282-4DB7-9A48-7C39CE152A19"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1D95A7C7-3282-4DB7-9A48-7C39CE152A19\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,23331; reference:cve,2007-0323; reference:url,na.blackberry.com/eng/ataglance/security/news.jsp; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.kb.cert.org/vuls/id/869641; classtype:attempted-user; sid:11247; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAstatics ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAstatics"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DirectAnimation\.DAstatics\x22|\x27DirectAnimation\.DAstatics\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectAnimation\.DAstatics\x22|\x27DirectAnimation\.DAstatics\x27)\s*\)/smi"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11245; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAstatics ActiveX clsid access"; flow:to_client,established; file_data; content:"542FB453-5003-11CF-92A2-00AA00B8A733"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*542FB453-5003-11CF-92A2-00AA00B8A733\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11243; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Redirect ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.Redirect"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DXImageTransform\.Microsoft\.Redirect\x22|\x27DXImageTransform\.Microsoft\.Redirect\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXImageTransform\.Microsoft\.Redirect\x22|\x27DXImageTransform\.Microsoft\.Redirect\x27)\s*\)/smi"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11241; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Redirect ActiveX clsid access"; flow:to_client,established; file_data; content:"42B07B28-2280-4937-B035-0293FB812781"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42B07B28-2280-4937-B035-0293FB812781\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11239; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX clsid access"; flow:to_client,established; file_data; content:"233A9694-667E-11d1-9DFB-006097D50408"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*233A9694-667E-11d1-9DFB-006097D50408\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; classtype:attempted-user; sid:11236; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Cryptographic API COM 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"FBAB033B-CDD0-4C5E-81AB-AEA575CD1338"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FBAB033B-CDD0-4C5E-81AB-AEA575CD1338\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:cve,2007-0940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-028; classtype:attempted-user; sid:11234; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"CAPICOM.Certificates"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0940; classtype:attempted-user; sid:11232; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Cryptographic API COM 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"17E3A1C3-EA8A-4970-AF29-7F54610B1D4C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17E3A1C3-EA8A-4970-AF29-7F54610B1D4C\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:cve,2007-0940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-028; classtype:attempted-user; sid:11230; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSAuth ActiveX function call access"; flow:to_client,established; file_data; content:"NMSA.SessionDescription"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NMSA\.SessionDescription\x22|\x27NMSA\.SessionDescription\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveAs\s*|.*(?P=v)\s*\.\s*SaveAs\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NMSA\.SessionDescription\x22|\x27NMSA\.SessionDescription\x27)\s*\)(\s*\.\s*SaveAs\s*|.*(?P=n)\s*\.\s*SaveAs\s*)\s*\(/smi"; metadata:service http; reference:cve,2007-2221; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11226; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSAuth ActiveX clsid access"; flow:to_client,established; file_data; content:"D4FE6227-1288-11D0-9097-00AA004254A0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D4FE6227-1288-11D0-9097-00AA004254A0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveAs)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D4FE6227-1288-11D0-9097-00AA004254A0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveAs))\s*\(/si"; metadata:service http; reference:cve,2007-2221; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11224; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SmartCode VNC Manager ActiveX function call access"; flow:to_client,established; file_data; content:"SmartCode.ViewerX"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SmartCode\.ViewerX\x22|\x27SmartCode\.ViewerX\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ConnectAsyncEx\s*|.*(?P=v)\s*\.\s*ConnectAsyncEx\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SmartCode\.ViewerX\x22|\x27SmartCode\.ViewerX\x27)\s*\)(\s*\.\s*ConnectAsyncEx\s*|.*(?P=n)\s*\.\s*ConnectAsyncEx\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23869; reference:cve,2007-2526; reference:url,moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html; classtype:attempted-user; sid:11220; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SmartCode VNC Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"62FA83F7-20EC-4D62-AC86-BAB705EE1CCD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62FA83F7-20EC-4D62-AC86-BAB705EE1CCD\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(ConnectAsyncEx)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62FA83F7-20EC-4D62-AC86-BAB705EE1CCD\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(ConnectAsyncEx))\s*\(/si"; metadata:service http; reference:bugtraq,23869; reference:cve,2007-2526; reference:url,moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html; classtype:attempted-user; sid:11218; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeralSoft HTTP File Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"UFileUploaderD.FileUploaderD"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22UFileUploaderD\.FileUploaderD\x22|\x27UFileUploaderD\.FileUploaderD\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddFile\s*|.*(?P=v)\s*\.\s*AddFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UFileUploaderD\.FileUploaderD\x22|\x27UFileUploaderD\.FileUploaderD\x27)\s*\)(\s*\.\s*AddFile\s*|.*(?P=n)\s*\.\s*AddFile\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23853; reference:cve,2007-2563; reference:url,moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html; classtype:attempted-user; sid:11216; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VeralSoft HTTP File Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"28776DAD-5914-42A7-9139-8FD7C756BBDD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*28776DAD-5914-42A7-9139-8FD7C756BBDD\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(AddFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*28776DAD-5914-42A7-9139-8FD7C756BBDD\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(AddFile))\s*\(/si"; metadata:service http; reference:bugtraq,23853; reference:cve,2007-2563; reference:url,moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html; classtype:attempted-user; sid:11214; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sienzo Digital Music Mentor ActiveX function call access"; flow:to_client,established; file_data; content:"DSKernel.LMDSKernel"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DSKernel\.LMDSKernel\x22|\x27DSKernel\.LMDSKernel\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(LockModules|UnlockModule)\s*|.*(?P=v)\s*\.\s*(LockModules|UnlockModule)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DSKernel\.LMDSKernel\x22|\x27DSKernel\.LMDSKernel\x27)\s*\)(\s*\.\s*(LockModules|UnlockModule)\s*|.*(?P=n)\s*\.\s*(LockModules|UnlockModule)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23838; reference:cve,2007-2564; reference:url,moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html; classtype:attempted-user; sid:11212; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sienzo Digital Music Mentor ActiveX clsid access"; flow:to_client,established; file_data; content:"E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(LockModules|UnlockModule)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(LockModules|UnlockModule))\s*\(/si"; metadata:service http; reference:bugtraq,23838; reference:cve,2007-2564; reference:url,moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html; classtype:attempted-user; sid:11210; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS East Wind Software ADVDAUDIO ActiveX function call access"; flow:to_client,established; file_data; content:"ADVDAUDIO.ADVDAUDIOCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ADVDAUDIO\.ADVDAUDIOCtrl\x22|\x27ADVDAUDIO\.ADVDAUDIOCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenDVD\s*|.*(?P=v)\s*\.\s*OpenDVD\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ADVDAUDIO\.ADVDAUDIOCtrl\x22|\x27ADVDAUDIO\.ADVDAUDIOCtrl\x27)\s*\)(\s*\.\s*OpenDVD\s*|.*(?P=n)\s*\.\s*OpenDVD\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23833; reference:cve,2007-2576; reference:url,moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html; classtype:attempted-user; sid:11208; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS East Wind Software ADVDAUDIO ActiveX clsid access"; flow:to_client,established; file_data; content:"995A778F-E846-48DD-94F2-280FDED1AADF"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*995A778F-E846-48DD-94F2-280FDED1AADF\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenDVD)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*995A778F-E846-48DD-94F2-280FDED1AADF\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenDVD))\s*\(/si"; metadata:service http; reference:bugtraq,23833; reference:cve,2007-2576; reference:url,moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html; classtype:attempted-user; sid:11206; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"OA.OActrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,23811; reference:bugtraq,33243; reference:bugtraq,33283; reference:cve,2007-2588; reference:cve,2009-0382; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:11201; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ActiveX Soft DVD Tools ActiveX function call access"; flow:to_client,established; file_data; content:"DVD_TOOLS.DVD_TOOLSCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DVD_TOOLS\.DVD_TOOLSCtrl\x22|\x27DVD_TOOLS\.DVD_TOOLSCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DVD_TOOLS\.DVD_TOOLSCtrl\x22|\x27DVD_TOOLS\.DVD_TOOLSCtrl\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,22558; reference:cve,2007-0976; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html; classtype:attempted-user; sid:11197; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"OA.OActrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11189; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"OA.OACtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OA\.OACtrl(\.\d)?\x22|\x27OA\.OACtrl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OACtrl(\.\d)?\x22|\x27OA\.OACtrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11178; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microgaming Download Helper ActiveX function call access"; flow:to_client,established; file_data; content:"DLHelper.WebHandler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DLHelper\.WebHandler\x22|\x27DLHelper\.WebHandler\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DLHelper\.WebHandler\x22|\x27DLHelper\.WebHandler\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23595; reference:cve,2007-2177; reference:url,www.kb.cert.org/vuls/id/184473; classtype:attempted-user; sid:10993; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microgaming Download Helper ActiveX clsid access"; flow:to_client,established; file_data; content:"AED98630-0251-4E83-917D-43A23D66D507"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AED98630-0251-4E83-917D-43A23D66D507\s*}?\s*(?P=q15)(\s|>)/si"; metadata:service http; reference:bugtraq,23595; reference:cve,2007-2177; reference:url,www.kb.cert.org/vuls/id/184473; classtype:attempted-user; sid:10991; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GraceNote CDDB ActiveX function call access"; flow:to_client,established; file_data; content:"ClassCDDBControl.CddbSegments"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ClassCDDBControl\.CddbSegments\x22|\x27ClassCDDBControl\.CddbSegments\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ClassCDDBControl\.CddbSegments\x22|\x27ClassCDDBControl\.CddbSegments\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,18678; reference:bugtraq,23567; reference:cve,2006-3134; reference:cve,2007-0443; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:10988; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GraceNote CDDB ActiveX clsid access"; flow:to_client,established; file_data; content:"F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F\s*}?\s*(?P=q11)(\s|>)/si"; metadata:service http; reference:bugtraq,18678; reference:bugtraq,23567; reference:cve,2006-3134; reference:cve,2007-0443; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:10986; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Second Sight Software ActiveMod ActiveX function call access"; flow:to_client,established; file_data; content:"ACTIVEMOD.ActiveModCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ACTIVEMOD\.ActiveModCtrl\x22|\x27ACTIVEMOD\.ActiveModCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ACTIVEMOD\.ActiveModCtrl\x22|\x27ACTIVEMOD\.ActiveModCtrl\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23554; reference:cve,2007-1691; reference:url,www.kb.cert.org/vuls/id/962305; classtype:attempted-user; sid:10984; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Second Sight Software ActiveMod ActiveX clsid access"; flow:to_client,established; file_data; content:"2078D6EC-693C-4FB2-AE7B-A6B8D2BC4DC8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2078D6EC-693C-4FB2-AE7B-A6B8D2BC4DC8\s*}?\s*(?P=q5)(\s|>)/si"; metadata:service http; reference:bugtraq,23554; reference:cve,2007-1691; reference:url,www.kb.cert.org/vuls/id/962305; classtype:attempted-user; sid:10982; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Second Sight Software ActiveGS ActiveX function call access"; flow:to_client,established; file_data; content:"ACTIVEGS.ActiveGSCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ACTIVEGS\.ActiveGSCtrl\x22|\x27ACTIVEGS\.ActiveGSCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ACTIVEGS\.ActiveGSCtrl\x22|\x27ACTIVEGS\.ActiveGSCtrl\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23554; reference:cve,2007-1690; reference:url,www.kb.cert.org/vuls/id/118737; classtype:attempted-user; sid:10980; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Second Sight Software ActiveGS ActiveX clsid access"; flow:to_client,established; file_data; content:"052DF14F-6F28-44A0-9130-294FDA6176EB"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*052DF14F-6F28-44A0-9130-294FDA6176EB\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,23554; reference:cve,2007-1690; reference:url,www.kb.cert.org/vuls/id/118737; classtype:attempted-user; sid:10978; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MarkAny MaPrintModule_WORK ActiveX function call access"; flow:to_client,established; file_data; content:"MAPRINTMODULEWORK.MaPrintModuleWORKCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x22|\x27MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MaDecodeData\s*|.*(?P=v)\s*\.\s*MaDecodeData\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x22|\x27MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x27)\s*\)(\s*\.\s*MaDecodeData\s*|.*(?P=n)\s*\.\s*MaDecodeData\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23420; classtype:attempted-user; sid:10478; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MarkAny MaPrintModule_WORK ActiveX clsid access"; flow:to_client,established; file_data; content:"798B9483-B7A6-46C1-9F17-C9B9F02EA811"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*798B9483-B7A6-46C1-9F17-C9B9F02EA811\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MaDecodeData)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*798B9483-B7A6-46C1-9F17-C9B9F02EA811\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(MaDecodeData))\s*\(/si"; metadata:service http; reference:bugtraq,23420; classtype:attempted-user; sid:10476; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iPIX Media Send Class ActiveX function call access"; flow:to_client,established; file_data; content:"iPIX.Rimfire4.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10472; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iPIX Media Send Class ActiveX clsid access"; flow:to_client,established; file_data; content:"d04a7099-0c25-4fc7-970f-6ec7d77886f3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d04a7099-0c25-4fc7-970f-6ec7d77886f3\s*}?\s*(?P=q4)(\s|>)/si"; metadata:service http; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10470; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iPIX Image Well ActiveX function call access"; flow:to_client,established; file_data; content:"iPIX.ImageWell"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10468; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iPIX Image Well ActiveX clsid access"; flow:to_client,established; file_data; content:"ef8d9f2a-f641-4ef0-b2ec-3ba2be7c2960"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ef8d9f2a-f641-4ef0-b2ec-3ba2be7c2960\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10466; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky AntiVirus KAV60Info ActiveX function call access"; flow:to_client,established; file_data; content:"AxKLProd60.KAV60Info"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AxKLProd60\.KAV60Info\x22|\x27AxKLProd60\.KAV60Info\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=v)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxKLProd60\.KAV60Info\x22|\x27AxKLProd60\.KAV60Info\x27)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=n)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23345; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; classtype:attempted-user; sid:10433; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky AntiVirus KAV60Info ActiveX clsid access"; flow:to_client,established; file_data; content:"D9EC22E7-1A86-4F7C-8940-0303AE5D6756"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9EC22E7-1A86-4F7C-8940-0303AE5D6756\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9EC22E7-1A86-4F7C-8940-0303AE5D6756\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading))\s*\(/si"; metadata:service http; reference:bugtraq,23345; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; classtype:attempted-user; sid:10431; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky AntiVirus SysInfo ActiveX function call access"; flow:to_client,established; file_data; content:"KL.SysInfo"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22KL\.SysInfo\x22|\x27KL\.SysInfo\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=v)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22KL\.SysInfo\x22|\x27KL\.SysInfo\x27)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=n)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)\s*\(/smi"; metadata:service http; reference:bugtraq,23325; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; reference:url,www.kaspersky.com/technews?id=203038694; classtype:attempted-user; sid:10429; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kaspersky AntiVirus SysInfo ActiveX clsid access"; flow:to_client,established; file_data; content:"BA61606B-258C-4021-AD27-E07A3F3B91DB"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA61606B-258C-4021-AD27-E07A3F3B91DB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA61606B-258C-4021-AD27-E07A3F3B91DB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading))\s*\(/si"; metadata:service http; reference:bugtraq,23325; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; reference:url,www.kaspersky.com/technews?id=203038694; classtype:attempted-user; sid:10427; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Audio Conferencing ActiveX function call access"; flow:to_client,established; file_data; content:"Yahoo.AudioConf"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Yahoo\.AudioConf\x22|\x27Yahoo\.AudioConf\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*createAndJoinConference\s*|.*(?P=v)\s*\.\s*createAndJoinConference\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Yahoo\.AudioConf\x22|\x27Yahoo\.AudioConf\x27)\s*\)(\s*\.\s*createAndJoinConference\s*|.*(?P=n)\s*\.\s*createAndJoinConference\s*)\s*\(/Osmi"; metadata:service http; reference:bugtraq,23291; reference:cve,2007-1680; reference:url,messenger.yahoo.com/security_update.php?id=031207; classtype:attempted-user; sid:10425; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Audio Conferencing ActiveX clsid access"; flow:to_client,established; file_data; content:"2B323CD9-50E3-11D3-9466-00A0C9700498"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2B323CD9-50E3-11D3-9466-00A0C9700498\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(createAndJoinConference)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2B323CD9-50E3-11D3-9466-00A0C9700498\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(createAndJoinConference))\s*\(/Osi"; metadata:service http; reference:bugtraq,23291; reference:cve,2007-1680; reference:url,messenger.yahoo.com/security_update.php?id=031207; classtype:attempted-user; sid:10423; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Mercury Quality Center SPIDERLib ActiveX function call access"; flow:to_client,established; file_data; content:"SPIDERLib.Loader"; pcre:"/(?P\w+)\s*=\s*(\x22SPIDERLib\.Loader\x22|\x27SPIDERLib\.Loader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ProgColor\s*|.*(?P=v)\s*\.\s*ProgColor\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SPIDERLib\.Loader\x22|\x27SPIDERLib\.Loader\x27)\s*\)(\s*\.\s*ProgColor\s*|.*(?P=n)\s*\.\s*ProgColor)\s*=/siO"; metadata:service http; reference:bugtraq,23239; reference:cve,2007-1819; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872; classtype:attempted-user; sid:10421; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Mercury Quality Center SPIDERLib ProgColor ActiveX clsid access"; flow:to_client,established; file_data; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ProgColor)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ProgColor))\s*=/siO"; metadata:service http; reference:bugtraq,23239; reference:cve,2007-1819; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872; classtype:attempted-user; sid:10419; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus SameTime STJNILoader ActiveX function call access"; flow:to_client,established; file_data; content:"JNILOADER.JNILoaderCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\3\s*\.\s*(LoadLibrary)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\7\s*\.\s*(LoadLibrary)\s*\()/smi"; metadata:service http; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10417; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus SameTime STJNILoader ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"7261EE42-318E-490A-AE8F-77649DBA1ECA"; fast_pattern:only; pcre:"/(]\s*?id\s*?=\s*?(\x22|\x27)\s*?LoadLibrary\s*?(\x22|\x27)\s*?classid\s*?\=\s*?(\x22|\x27)\s*?clsid\s*?\x3a.*?7261EE42-318E-490A-AE8F-77649DBA1ECA.*?LoadLibrary)|(]\s*?classid\s*?\=\s*?(\x22|\x27)\s*?clsid\s*?\x3a\s*?7261EE42-318E-490A-AE8F-77649DBA1ECA.*?id\s*?=\s*?(\x22|\x27)\s*?LoadLibrary)/smi"; metadata:service http; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10415; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus SameTime STJNILoader Alt CLSID ActiveX function call access"; flow:to_client,established; file_data; content:"JNILOADER.JNILoaderCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\3\s*\.\s*(LoadLibrary)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\7\s*\.\s*(LoadLibrary)\s*\()/smi"; metadata:service http; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10414; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus SameTime STJNILoader ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0B9C9C7D-ED81-4594-AFCB-FC5588125382"; fast_pattern:only; pcre:"/(]\s*?id\s*?=\s*?(\x22|\x27)\s*?LoadLibrary\s*?(\x22|\x27)\s*?classid\s*?\=\s*?(\x22|\x27)\s*?clsid\s*?\x3a.*?0B9C9C7D-ED81-4594-AFCB-FC5588125382.*?LoadLibrary)|(]\s*?classid\s*?\=\s*?(\x22|\x27)\s*?clsid\s*?\x3a\s*?0B9C9C7D-ED81-4594-AFCB-FC5588125382.*?id\s*?=\s*?(\x22|\x27)\s*?LoadLibrary)/smi"; metadata:service http; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10412; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SignKorea SKCommAX ActiveX function call access"; flow:to_client,established; file_data; content:"SKCommAX"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SKCommAX\x22|\x27SKCommAX\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(DownloadCertificateExt)\s*\(|.*\3\s*\.\s*(DownloadCertificateExt)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SKCommAX\x22|\x27SKCommAX\x27)\s*\)(\s*\.\s*(DownloadCertificateExt)\s*\(|.*\7\s*\.\s*(DownloadCertificateExt)\s*\()/smi"; metadata:service http; classtype:attempted-user; sid:10406; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SignKorea SKCommAX ActiveX clsid access"; flow:established,to_client; file_data; content:"EC5D5118-9FDE-4A3E-84F3-C2B711740E70"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC5D5118-9FDE-4A3E-84F3-C2B711740E70\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(DownloadCertificateExt)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC5D5118-9FDE-4A3E-84F3-C2B711740E70\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(DownloadCertificateExt))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:10404; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec SupportSoft SmartIssue ActiveX function call access"; flow:to_client,established; file_data; content:"SPRT.SmartIssue"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SPRT\.SmartIssue(\.\d)?\x22|\x27SPRT\.SmartIssue(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*EnableExtension\s*|.*(?P=v)\s*\.\s*EnableExtension\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SPRT\.SmartIssue(\.\d)?\x22|\x27SPRT\.SmartIssue(\.\d)?\x27)\s*\)(\s*\.\s*EnableExtension\s*|.*(?P=n)\s*\.\s*EnableExtension\s*)\s*\(/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10395; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Support Controls SmartIssue ActiveX function call access"; flow:to_client,established; file_data; content:"SYMC.SmartIssue"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SYMC\.SmartIssue\x22|\x27SYMC\.SmartIssue\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(EnableExtension)\s*\(|.*\3\s*\.\s*(EnableExtension)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SYMC\.SmartIssue\x22|\x27SYMC\.SmartIssue\x27)\s*\)(\s*\.\s*(EnableExtension)\s*\(|.*\7\s*\.\s*(EnableExtension)\s*\()/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10392; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Support Controls SmartIssue ActiveX clsid access"; flow:established,to_client; file_data; content:"44990200-3c9d-426d-81df-aab636fa4345"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44990200-3c9d-426d-81df-aab636fa4345\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(EnableExtension)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44990200-3c9d-426d-81df-aab636fa4345\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(EnableExtension))\s*=/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10390; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Site Manager ActiveX function call access attempt"; flow:to_client,established; file_data; content:"SiteManager.SiteMgr.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SiteManager\.SiteMgr\.1(\.\d)?\x22|\x27SiteManager\.SiteMgr\.1(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*|.*(?P=v)\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SiteManager\.SiteMgr\.1(\.\d)?\x22|\x27SiteManager\.SiteMgr\.1(\.\d)?\x27)\s*\)(\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*|.*(?P=n)\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22952; reference:cve,2007-1498; classtype:attempted-user; sid:10389; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Site Manager ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"4124FDF6-B540-44C5-96B4-A380CEE9826A"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4124FDF6-B540-44C5-96B4-A380CEE9826A\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(ExportSiteList|VerifyPackageCatalog)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4124FDF6-B540-44C5-96B4-A380CEE9826A\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(ExportSiteList|VerifyPackageCatalog))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22952; reference:cve,2007-1498; classtype:attempted-user; sid:10387; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Shockwave ActiveX Control ActiveX function call access"; flow:to_client,established; file_data; content:"SWCtl.SWCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SWCtl\.SWCtl(\.\d)?\x22|\x27SWCtl\.SWCtl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*|.*(?P=v)\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SWCtl\.SWCtl(\.\d)?\x22|\x27SWCtl\.SWCtl(\.\d)?\x27)\s*\)(\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*|.*(?P=n)\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*)/smiO"; metadata:service http; reference:bugtraq,22067; reference:bugtraq,22842; reference:cve,2006-6885; classtype:attempted-user; sid:10216; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Shockwave ActiveX Control clsid access"; flow:to_client,established; file_data; content:"233C1507-6A77-46A4-9443-F871F945D258"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22067; reference:bugtraq,22842; reference:cve,2006-6885; reference:cve,2007-1403; classtype:attempted-user; sid:10214; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivXBrowserPlugin ActiveX function call access"; flow:to_client,established; file_data; content:"npdivx.DivXBrowserPlugin"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22npdivx\.DivXBrowserPlugin\x22|\x27npdivx\.DivXBrowserPlugin\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Resize)\s*\(|.*\3\s*\.\s*(Resize)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22npdivx\.DivXBrowserPlugin\x22|\x27npdivx\.DivXBrowserPlugin\x27)\s*\)(\s*\.\s*(Resize)\s*\(|.*\7\s*\.\s*(Resize)\s*\()/smi"; metadata:service http; classtype:attempted-user; sid:10191; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivXBrowserPlugin ActiveX clsid access"; flow:established,to_client; file_data; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(Resize)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(Resize))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:10189; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Shell User Enumeration Object ActiveX function call access"; flow:to_client,established; file_data; content:"Shell.Users.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22Shell\.Users\.1\x22|\x27Shell\.Users\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Shell\.Users\.1\x22|\x27Shell\.Users\.1\x27)\s*\)/smi"; metadata:service http; classtype:attempted-user; sid:10178; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Shell User Enumeration Object ActiveX clsid access"; flow:to_client,established; file_data; content:"60664CAF-AF0D-0004-A300-5C7D25FF22A0"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*60664CAF-AF0D-0004-A300-5C7D25FF22A0\s*}?\s*\1/si"; metadata:service http; classtype:attempted-user; sid:10176; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro OfficeScan Client ActiveX function call access"; flow:to_client,established; file_data; content:"SetupINICtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SetupINICtrl\x22|\x27SetupINICtrl\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SetupINICtrl\x22|\x27SetupINICtrl\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,22585; reference:cve,2007-0325; classtype:attempted-user; sid:10175; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro OfficeScan Client ActiveX clsid access"; flow:to_client,established; file_data; content:"08D75BB0-D2B5-11D1-88FC-0080C859833B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*08D75BB0-D2B5-11D1-88FC-0080C859833B\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,22585; reference:cve,2007-0325; classtype:attempted-user; sid:10173; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Verisign ConfigCHK ActiveX clsid access"; flow:to_client,established; file_data; content:"08F04139-8DFC-11D2-80E9-006008B066EE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*08F04139-8DFC-11D2-80E9-006008B066EE\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,22676; reference:cve,2007-1083; classtype:attempted-user; sid:10170; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BrowseDialog ActiveX clsid access"; flow:to_client,established; file_data; content:"19E6E148-BAEC-11D2-B03A-EAFC20524153"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19E6E148-BAEC-11D2-B03A-EAFC20524153\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,22110; reference:cve,2007-0371; classtype:attempted-user; sid:10162; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ActiveX Soft DVD Tools ActiveX clsid access"; flow:to_client,established; file_data; content:"894A633E-F261-28BD-96F3-380EBEE1BADE"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*894A633E-F261-28BD-96F3-380EBEE1BADE\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,22558; reference:cve,2007-0976; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html; classtype:attempted-user; sid:10156; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer BlnSetUser Proxy 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"E56CCB42-598C-462D-9AD8-4FD5B4498C5D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E56CCB42-598C-462D-9AD8-4FD5B4498C5D\s*}?\s*\1/si"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10154; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer BlnSetUser Proxy ActiveX function call access"; flow:to_client,established; file_data; content:"BlnMgrPs.BlnSetUserPs.11"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BlnMgrPs.BlnSetUserPs.11\x22|\x27BlnMgrPs.BlnSetUserPs.11\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BlnMgrPs.BlnSetUserPs.11\x22|\x27BlnMgrPs.BlnSetUserPs.11\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10153; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer BlnSetUser Proxy ActiveX clsid access"; flow:to_client,established; file_data; content:"261F6572-578B-40A7-B72E-61B7261D9F0C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*261F6572-578B-40A7-B72E-61B7261D9F0C\s*}?\s*\1/si"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10151; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Inline Movie Control ActiveX function call access"; flow:to_client,established; file_data; content:"HTMLInlineVideoCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22HTMLInlineVideoCtl\.1\x22|\x27HTMLInlineVideoCtl\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HTMLInlineVideoCtl\.1\x22|\x27HTMLInlineVideoCtl\.1\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10150; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Inline Movie Control ActiveX clsid access"; flow:to_client,established; file_data; content:"8422DAE7-9929-11CF-B8D3-004033373DA8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8422DAE7-9929-11CF-B8D3-004033373DA8\s*}?\s*\1/si"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10148; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Inline Sound Control ActiveX function call access"; flow:to_client,established; file_data; content:"HTMLInlineSoundCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22HTMLInlineSoundCtl\.1\x22|\x27HTMLInlineSoundCtl\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HTMLInlineSoundCtl\.1\x22|\x27HTMLInlineSoundCtl\.1\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10147; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Inline Sound Control ActiveX clsid access"; flow:to_client,established; file_data; content:"8422DAE3-9929-11CF-B8D3-004033373DA8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8422DAE3-9929-11CF-B8D3-004033373DA8\s*}?\s*\1/si"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10145; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LexRefBilingualTextContext ActiveX function call access"; flow:to_client,established; file_data; content:"LR.LexRefBilingualTextContext.1.0.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22LR\.LexRefBilingualTextContext\.1\.0\.1\x22|\x27LR\.LexRefBilingualTextContext\.1\.0\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LR\.LexRefBilingualTextContext\.1\.0\.1\x22|\x27LR\.LexRefBilingualTextContext\.1\.0\.1\x27)\s*\)/smi"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10144; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LexRefBilingualTextContext ActiveX clsid access"; flow:to_client,established; file_data; content:"75C11604-5C51-48B2-B786-DF5E51D10EC9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*75C11604-5C51-48B2-B786-DF5E51D10EC9\s*}?\s*\1/si"; metadata:service http; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10142; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"DA56F851-D3C5-11D3-844C-00C04F7A06E5"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10140; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Input Method Editor ActiveX function call access"; flow:to_client,established; file_data; content:"IMESingleKanjiDict.8.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22IMESingleKanjiDict.8.1\x22|\x27IMESingleKanjiDict.8.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IMESingleKanjiDict.8.1\x22|\x27IMESingleKanjiDict.8.1\x27)\s*\)/smi"; metadata:service http; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10139; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Input Method Editor ActiveX clsid access"; flow:to_client,established; file_data; content:"6E3197A3-BBC3-11D4-84C0-00C04F7A06E5"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E3197A3-BBC3-11D4-84C0-00C04F7A06E5\s*}?\s*\1/si"; metadata:service http; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10137; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Aliplay ActiveX clsid access"; flow:established,to_client; file_data; content:"66F50F46-70A0-4A05-BD5E-FBCC0F9641EC"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66F50F46-70A0-4A05-BD5E-FBCC0F9641EC\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(remove)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66F50F46-70A0-4A05-BD5E-FBCC0F9641EC\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(remove))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22446; reference:cve,2007-0827; classtype:attempted-user; sid:10128; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioFile2 ActiveX function call access"; flow:to_client,established; file_data; content:"NCTAudioFile2.AudioFile"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCTAudioFile2\.AudioFile(\.\d)?\x22|\x27NCTAudioFile2\.AudioFile(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=v)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioFile2\.AudioFile(\.\d)?\x22|\x27NCTAudioFile2\.AudioFile(\.\d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO"; metadata:service http; reference:bugtraq,22196; reference:bugtraq,33469; reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10086; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NCTAudioFile2 ActiveX clsid access"; flow:to_client,established; file_data; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(SetFormatLikeSample|CreateFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\.(SetFormatLikeSample|CreateFile))\s*\(/siO"; metadata:service http; reference:bugtraq,22196; reference:bugtraq,33469; reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10084; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX function call access"; flow:to_client,established; file_data; content:"ORADC.ORADCCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi"; metadata:service http; reference:bugtraq,22026; classtype:attempted-user; sid:10017; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CCRP FolderTreeView ActiveX clsid access"; flow:to_client,established; file_data; content:"19B7F2D6-1610-11D3-BF30-1AF820524153"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,22092; reference:cve,2007-0356; reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm; classtype:attempted-user; sid:10013; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Rediff Bol Downloader ActiveX function call access"; flow:to_client,established; file_data; content:"BOLDOWNLOADER.BolDownloaderCtrl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BOLDOWNLOADER.BolDownloaderCtrl.1\x22|\x27BOLDOWNLOADER.BolDownloaderCtrl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BOLDOWNLOADER.BolDownloaderCtrl.1\x22|\x27BOLDOWNLOADER.BolDownloaderCtrl.1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,21831; reference:cve,2006-6838; classtype:attempted-user; sid:9826; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Rediff Bol Downloader ActiveX clsid access"; flow:to_client,established; file_data; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BADA82CB-BF48-4D76-9611-78E2C6F49F03\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,21831; reference:cve,2006-6838; classtype:attempted-user; sid:9824; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TriEditDocument.TriEditDocument ActiveX clsid access"; flow:to_client,established; file_data; content:"438DA5E0-F171-11D0-984E-0000F80270F8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*438DA5E0-F171-11D0-984E-0000F80270F8\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,18946; reference:cve,2006-3591; reference:url,browserfun.blogspot.com/2006/07/mobb-12-trieditdocument-url.html; classtype:attempted-user; sid:9821; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:service http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; classtype:attempted-user; sid:9820; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX clsid access"; flow:to_client,established; file_data; content:"127698E4-E730-4E5C-A2B1-21490A70C8A1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*127698E4-E730-4E5C-A2B1-21490A70C8A1\s*}?\s*\1/si"; metadata:service http; classtype:attempted-user; sid:9817; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Messenger YMMAPI.YMailAttach ActiveX function call access"; flow:to_client,established; file_data; content:"YMMAPI.YMailAttach"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22YMMAPI\.YMailAttach(\.\d)?\x22|\x27YMMAPI\.YMailAttach(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TextETACalculating\s*|.*(?P=v)\s*\.\s*TextETACalculating\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMMAPI\.YMailAttach(\.\d)?\x22|\x27YMMAPI\.YMailAttach(\.\d)?\x27)\s*\)(\s*\.\s*TextETACalculating\s*|.*(?P=n)\s*\.\s*TextETACalculating\s*)/smiO"; metadata:service http; reference:bugtraq,21607; reference:cve,2006-6603; reference:url,messenger.yahoo.com/security_update.php?id=120806; classtype:attempted-user; sid:9812; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panda ActiveScan PAVPZ.SOS.1 ActiveX function call access"; flow:to_client,established; file_data; content:"PAVPZ.SOS.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22PAVPZ.SOS.1\x22|\x27PAVPZ.SOS.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(ObtenerTamano)\s*\(|.*\3\s*\.\s*(ObtenerTamano)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PAVPZ.SOS.1\x22|\x27PAVPZ.SOS.1\x27)\s*\)(\s*\.\s*(ObtenerTamano)\s*\(|.*\7\s*\.\s*(ObtenerTamano)\s*\()/smi"; metadata:service http; classtype:attempted-user; sid:9800; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panda ActiveScan PAVPZ.SOS.1 ActiveX clsid access"; flow:established,to_client; file_data; content:"DA2BD42B-07E8-413A-9FEA-BB3B2E825340"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(ObtenerTamano)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(ObtenerTamano))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21132; reference:cve,2006-5966; classtype:attempted-user; sid:9798; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panda ActiveScan ActiveScan.1 ActiveX function call access"; flow:to_client,established; file_data; content:"ActiveScan.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ActiveScan.1\x22|\x27ActiveScan.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Analizar|Reinicializar)\s*\(|.*\3\s*\.\s*(Analizar|Reinicializar)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ActiveScan.1\x22|\x27ActiveScan.1\x27)\s*\)(\s*\.\s*(Analizar|Reinicializar)\s*\(|.*\7\s*\.\s*(Analizar|Reinicializar)\s*\()/smi"; metadata:service http; classtype:attempted-user; sid:9797; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panda ActiveScan ActiveScan.1 ActiveX clsid access"; flow:established,to_client; file_data; content:"DA2BD42B-07E8-413A-9FEA-BB3B2E825340"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(Analizar|Reinicializar)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(Analizar|Reinicializar))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21132; reference:cve,2006-5966; classtype:attempted-user; sid:9795; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS YMMAPI.YMailAttach ActiveX clsid access"; flow:established,to_client; file_data; content:"AA218328-0EA8-4D70-8972-E987A9190FF4"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA218328-0EA8-4D70-8972-E987A9190FF4\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(TextETACalculating)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA218328-0EA8-4D70-8972-E987A9190FF4\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(TextETACalculating))\s*=/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21607; reference:cve,2006-6603; reference:url,messenger.yahoo.com/security_update.php?id=120806; classtype:attempted-user; sid:9793; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer AutoStream.AutoStream.1 ActiveX function call access"; flow:to_client,established; file_data; content:"AutoStream.AutoStream.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22AutoStream.AutoStream.1\x22|\x27AutoStream.AutoStream.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AutoStream.AutoStream.1\x22|\x27AutoStream.AutoStream.1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,21802; reference:cve,2006-6847; classtype:attempted-user; sid:9673; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer AutoStream.AutoStream.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"405DE7C0-E7DD-11D2-92C5-00C0F01F77C1"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*405DE7C0-E7DD-11D2-92C5-00C0F01F77C1\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,21802; reference:cve,2006-6847; classtype:attempted-user; sid:9671; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Outlook Recipient Control ActiveX function call access"; flow:to_client,established; file_data; content:"RECIP.RecipCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22RECIP.RecipCtl.1\x22|\x27RECIP.RecipCtl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RECIP.RecipCtl.1\x22|\x27RECIP.RecipCtl.1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,21649; reference:cve,2006-6659; classtype:attempted-user; sid:9670; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Outlook Recipient Control ActiveX clsid access"; flow:to_client,established; file_data; content:"0006F023-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0006F023-0000-0000-C000-000000000046\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,21649; reference:cve,2006-6659; classtype:attempted-user; sid:9668; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Citrix.ICAClient ActiveX function call access"; flow:to_client,established; file_data; content:"Citrix.ICAClient"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Citrix\.ICAClient(\.\d)?\x22|\x27Citrix\.ICAClient(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SendChannelData\s*|.*(?P=v)\s*\.\s*SendChannelData\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Citrix\.ICAClient(\.\d)?\x22|\x27Citrix\.ICAClient(\.\d)?\x27)\s*\)(\s*\.\s*SendChannelData\s*|.*(?P=n)\s*\.\s*SendChannelData\s*)/smiO"; metadata:service http; reference:bugtraq,23246; reference:cve,2006-6334; reference:url,support.citrix.com/article/CTX111827; classtype:attempted-user; sid:9631; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Acer LunchApp.APlunch ActiveX clsid access"; flow:to_client,established; file_data; content:"D9998BD0-7957-11D2-8FED-00606730D3AA"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9998BD0-7957-11D2-8FED-00606730D3AA\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:url,global.acer.com/support/patch20070101.htm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,vuln.sg/acerlunchapp-en.html; classtype:attempted-user; sid:9427; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WinZip FileView 6.1 ActiveX function call access"; flow:to_client,established; file_data; content:"WZFILEVIEW.FileViewCtrl.61"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x22|\x27WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x22|\x27WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21060; reference:bugtraq,21108; reference:cve,2006-3890; reference:cve,2006-5198; reference:url,www.winzip.com/wz7245.htm; classtype:attempted-user; sid:9131; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent v1.5 ActiveX function call access"; flow:to_client,established; file_data; content:"Agent.Control.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Agent\.Control\.1\x22|\x27Agent\.Control\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\.1\x22|\x27Agent\.Control\.1\x27)\s*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-1214; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8856; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent v2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Agent.Control.2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Agent\.Control\.2\x22|\x27Agent\.Control\.2\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Characters\.Load\s*|.*(?P=v)\s*\.\s*Characters\.Load\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\.2\x22|\x27Agent\.Control\.2\x27)\s*\)(\s*\.\s*Characters\.Load\s*|.*(?P=n)\s*\.\s*Characters\.Load\s*)\s*\(/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8854; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent v2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"D45FD31B-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Characters\.Load)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Characters\.Load))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8852; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent Custom Proxy Class ActiveX clsid access"; flow:to_client,established; file_data; content:"4BAC124B-78C8-11D1-B9A8-00C04FD97575"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4BAC124B-78C8-11D1-B9A8-00C04FD97575\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8850; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid access"; flow:to_client,established; file_data; content:"D45FD31D-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31D-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8848; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Agent Character Custom Proxy Class ActiveX clsid access"; flow:to_client,established; file_data; content:"D45FD31E-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31E-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8846; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX function call access"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*|.*(?P=v)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*|.*(?P=n)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:8740; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BOWebAgent.Webagent.1 ActiveX function call access"; flow:to_client,established; file_data; content:"BOWebAgent.Webagent.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BOWebAgent.Webagent.1\x22|\x27BOWebAgent.Webagent.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\(|.*\3\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BOWebAgent.Webagent.1\x22|\x27BOWebAgent.Webagent.1\x27)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\(|.*\7\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\()/smi"; metadata:service http; classtype:attempted-user; sid:8737; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BOWebAgent.Webagent.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"85A4A99C-8C3D-499E-A386-E0743DFF8FB7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85A4A99C-8C3D-499E-A386-E0743DFF8FB7/si"; metadata:service http; classtype:attempted-user; sid:8735; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows System Monitor ActiveX clsid access"; flow:to_client,established; file_data; content:"C4D2D8E0-D1DD-11CE-940F-008029004347"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C4D2D8E0-D1DD-11CE-940F-008029004347/si"; metadata:service http; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-085; classtype:attempted-user; sid:8725; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Outlook Data Object ActiveX clsid access"; flow:to_client,established; file_data; content:"0006F033-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F033-0000-0000-C000-000000000046/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8721; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VisualStudio.DTE.8.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BA018599-1DB3-44f9-83B4-461454C84BF8/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8719; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VsaIDE.DTE ActiveX clsid access"; flow:to_client,established; file_data; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8CCCDDF-CA28-496b-B050-6C07C962476B/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8717; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.NDFXArtEffects ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.NDFXArtEffects.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.NDFXArtEffects.1\x22|\x27DXImageTransform.Microsoft.NDFXArtEffects.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.NDFXArtEffects.1\x22|\x27DXImageTransform.Microsoft.NDFXArtEffects.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:8425; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Forms 2.0 ListBox ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.ListBox.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Forms.ListBox.1\x22|\x27Forms.ListBox.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Forms.ListBox.1\x22|\x27Forms.ListBox.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; classtype:attempted-user; sid:8424; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX function call access"; flow:to_client,established; file_data; content:"CEnroll.CEnroll.2"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22CEnroll\.CEnroll\.2\x22|\x27CEnroll\.CEnroll\.2\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CEnroll\.CEnroll\.2\x22|\x27CEnroll\.CEnroll\.2\x27)\s*\)/smi"; metadata:service http; classtype:attempted-user; sid:8423; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access"; flow:to_client,established; file_data; content:"0006F063-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0006F063-0000-0000-C000-000000000046\s*}?\s*\1/si"; metadata:service http; reference:bugtraq,101098; reference:bugtraq,3025; reference:bugtraq,3026; reference:cve,2001-0538; reference:cve,2017-11774; reference:url,browserfun.blogspot.com/2006/07/mobb-20-ovctl-newdefaultitem.html; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-038; classtype:attempted-user; sid:8422; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl.11"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22OWC11.DataSourceControl.11\x22|\x27OWC11.DataSourceControl.11\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22OWC11.DataSourceControl.11\x22|\x27OWC11.DataSourceControl.11\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; classtype:attempted-user; sid:8421; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Gradient ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.Gradient.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.Gradient.1\x22|\x27DXImageTransform.Microsoft.Gradient.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.Gradient.1\x22|\x27DXImageTransform.Microsoft.Gradient.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; classtype:attempted-user; sid:8420; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.RevealTrans ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.RevealTrans.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.RevealTrans.1\x22|\x27DXImageTransform.Microsoft.RevealTrans.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.RevealTrans.1\x22|\x27DXImageTransform.Microsoft.RevealTrans.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; classtype:attempted-user; sid:8418; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS TriEditDocument.TriEditDocument ActiveX function call access"; flow:to_client,established; file_data; content:"TriEditDocument.TriEditDocument"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22TriEditDocument.TriEditDocument\x22|\x27TriEditDocument.TriEditDocument\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TriEditDocument.TriEditDocument\x22|\x27TriEditDocument.TriEditDocument\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,18946; reference:cve,2006-3591; reference:url,browserfun.blogspot.com/2006/07/mobb-12-trieditdocument-url.html; classtype:attempted-user; sid:8417; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DocFind Command ActiveX clsid access"; flow:to_client,established; file_data; content:"B005E690-678D-11D1-B758-00A0C90564FE"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B005E690-678D-11D1-B758-00A0C90564FE/si"; metadata:service http; classtype:attempted-user; sid:8411; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Stream Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"A1A41E11-91DB-4461-95CD-0C02327FD934"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A41E11-91DB-4461-95CD-0C02327FD934\s*}?\s*(?P=q38)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A41E11-91DB-4461-95CD-0C02327FD934\s*}?\s*(?P=q39)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m16)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8409; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VisualExec Control ActiveX clsid access"; flow:to_client,established; file_data; content:"99EA8527-6A6A-40FE-A67C-82CF763902D0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99EA8527-6A6A-40FE-A67C-82CF763902D0/si"; metadata:service http; classtype:attempted-user; sid:8407; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ActiveX clsid access"; flow:to_client,established; file_data; content:"88D96A0A-F192-11D4-A65F-0040963251E5"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*88D96A0A-F192-11D4-A65F-0040963251E5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20915; reference:cve,2006-5745; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-071; classtype:attempted-user; sid:8405; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS XML Schema Cache 6.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"88D96A07-F192-11D4-A65F-0040963251E5"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*88D96A07-F192-11D4-A65F-0040963251E5/si"; metadata:service http; classtype:attempted-user; sid:8403; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Services DRM Storage ActiveX clsid access"; flow:to_client,established; file_data; content:"760C4B83-E211-11D2-BF3E-00805FBE84A6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*760C4B83-E211-11D2-BF3E-00805FBE84A6/si"; metadata:service http; classtype:attempted-user; sid:8401; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft.WebCapture ActiveX clsid access"; flow:to_client,established; file_data; content:"742D385A-D5BF-427D-9AF2-88258FB73EAF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*742D385A-D5BF-427D-9AF2-88258FB73EAF/si"; metadata:service http; classtype:attempted-user; sid:8399; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office List 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"65BCBEE4-7728-41A0-97BE-14E1CAE36AAE"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*65BCBEE4-7728-41A0-97BE-14E1CAE36AAE/si"; metadata:service http; classtype:attempted-user; sid:8397; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DX3DTransform.Microsoft.CrShatter ActiveX clsid access"; flow:to_client,established; file_data; content:"63500AE2-0858-11D2-8CE4-00C04F8ECB10"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63500AE2-0858-11D2-8CE4-00C04F8ECB10/si"; metadata:service http; classtype:attempted-user; sid:8395; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebDetectFrm ActiveX clsid access"; flow:to_client,established; file_data; content:"61C669C7-EDDD-4277-BF5E-64807CB8DCEF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*61C669C7-EDDD-4277-BF5E-64807CB8DCEF/si"; metadata:service http; classtype:attempted-user; sid:8393; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RFXInstMgr Class ActiveX clsid access"; flow:to_client,established; file_data; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47F59200-8783-11D2-8343-00A0C945A819/si"; metadata:service http; classtype:attempted-user; sid:8391; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMP Download Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"44CCBCEB-BA7E-4C99-A078-9F683832D493"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44CCBCEB-BA7E-4C99-A078-9F683832D493\s*}?\s*(?P=q23)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44CCBCEB-BA7E-4C99-A078-9F683832D493\s*}?\s*(?P=q24)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8389; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RNX Download Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"3B5E0503-DE28-4BE8-919C-76E0E894A3C2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B5E0503-DE28-4BE8-919C-76E0E894A3C2\s*}?\s*(?P=q28)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B5E0503-DE28-4BE8-919C-76E0E894A3C2\s*}?\s*(?P=q29)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8387; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Playback Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"3B46067C-FD87-49B6-8DDD-12F0D687035F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B46067C-FD87-49B6-8DDD-12F0D687035F\s*}?\s*(?P=q8)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B46067C-FD87-49B6-8DDD-12F0D687035F\s*}?\s*(?P=q9)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8385; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RAM Download Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8383; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer SMIL Download Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"224E833B-2CC6-42D9-AE39-90B6A38A4FA2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*224E833B-2CC6-42D9-AE39-90B6A38A4FA2\s*}?\s*(?P=q33)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*224E833B-2CC6-42D9-AE39-90B6A38A4FA2\s*}?\s*(?P=q34)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m14)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8381; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Xml2Dex ActiveX clsid access"; flow:to_client,established; file_data; content:"18C628EE-962A-11D2-8D08-00A0C9441E20"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18C628EE-962A-11D2-8D08-00A0C9441E20/si"; metadata:service http; classtype:attempted-user; sid:8379; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Download Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"0FDF6D6B-D672-463B-846E-C6FF49109662"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0FDF6D6B-D672-463B-846E-C6FF49109662\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0FDF6D6B-D672-463B-846E-C6FF49109662\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8377; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS QuickTime Object ActiveX clsid access"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0778; classtype:attempted-user; sid:8375; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VsmIDE.DTE ActiveX clsid access"; flow:to_client,established; file_data; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06723E09-F4C2-43c8-8358-09FCD1DB0766/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8373; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Outlook.Application ActiveX clsid access"; flow:to_client,established; file_data; content:"0006F03A-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F03A-0000-0000-C000-000000000046/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8371; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft.DbgClr.DTE.8.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D0C07D56-7C69-43F1-B4A0-25F5A11FAB19/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8367; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DExplore.AppObj.8.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"639F725F-1B2D-4831-A9FD-874847682010"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*639F725F-1B2D-4831-A9FD-874847682010/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8365; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Business Object Factory ActiveX clsid access"; flow:to_client,established; file_data; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AB9BCEDD-EC7E-47E1-9322-D4A210617116/si"; metadata:service http; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8363; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Virtual Machine ActiveX clsid access"; flow:to_client,established; file_data; content:"0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0D43FE01-F093-11CF-8940-00A0C9054228/si"; metadata:service http; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-075; classtype:attempted-user; sid:8069; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX clsid access"; flow:to_client,established; file_data; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F935DC22-1CF0-11D0-ADB9-00C04FD58A0B/i"; metadata:service http; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb%3ben-us%3bQ240308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-032; classtype:attempted-user; sid:8066; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet.Typelib ActiveX clsid access"; flow:to_client,established; file_data; content:"06290BD5-48AA-11D2-8432-006008C3FBFC"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06290BD5-48AA-11D2-8432-006008C3FBFC/i"; metadata:service http; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb%3ben-us%3bKB240308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-032; classtype:attempted-user; sid:8064; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WDM Instance Provider ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8051; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WaveOut and DSound Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8049; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WaveIn Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8047; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Video Effect Class Manager 2 Input ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8045; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Video Effect Class Manager 1 Input ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8043; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer VFW Capture Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8041; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer syncui.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8039; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Swedish_Default Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8037; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Spanish_Modern Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8035; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer QC.MessageMover.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8033; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Mslablti.MarshalableTI.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8031; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MidiOut Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8029; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft WBEM Event Subsystem ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8027; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft HTML Window Security Proxy ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8025; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Italian_Italian Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8023; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ISSimpleCommandCreator.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8021; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Address Bar ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8019; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ICM Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service http; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8017; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer German_German Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8015; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer French_French Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8013; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer English_US Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8011; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer English_UK Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8009; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Dutch_Dutch Stemmer ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8007; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DiskManagement.Connection ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8005; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Content.mbcontent.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8003; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CommunicationManager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8001; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CLSID_CDIDeviceActionConfigPage ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7999; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CLSID_ApprenticeICW ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7997; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer clbcatq.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7995; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer clbcatex.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7993; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ACM Class Manager ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7991; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WIA FileSystem USD ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7989; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebViewFolderIcon.WebViewFolderIcon.2 ActiveX clsid access"; flow:to_client,established; file_data; content:"844F4806-E8A8-11D2-9652-00C04FC30871"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*844F4806-E8A8-11D2-9652-00C04FC30871/si"; metadata:service http; classtype:attempted-user; sid:7987; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SuperBuddy Class ActiveX clsid access"; flow:to_client,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; metadata:service http; classtype:attempted-user; sid:7983; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:7981; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash.9 ActiveX function call access"; flow:to_client,established; file_data; content:"ShockwaveFlash.ShockwaveFlash.9"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ShockwaveFlash\.ShockwaveFlash\.9\x22|\x27ShockwaveFlash\.ShockwaveFlash\.9\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ShockwaveFlash\.ShockwaveFlash\.9\x22|\x27ShockwaveFlash\.ShockwaveFlash\.9\x27)\s*\)/smi"; metadata:service http; classtype:attempted-user; sid:7980; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX clsid access"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11CF-96B8-444553540000"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*navigateToURL|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.navigateToURL)\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-6244; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2; reference:url,www.adobe.com/support/security/bulletins/apsb07-20.html; classtype:attempted-user; sid:7978; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ShellFolder for CD Burning ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7976; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Rendezvous Class ActiveX clsid access"; flow:to_client,established; file_data; content:"F1029E5B-CB5B-11D0-8D59-00C04FD91AC0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F1029E5B-CB5B-11D0-8D59-00C04FD91AC0/si"; metadata:service http; classtype:attempted-user; sid:7974; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PostBootReminder object ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7970; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer mk Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7958; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Forms 2.0 ListBox ActiveX clsid access"; flow:to_client,established; file_data; content:"8BD21D20-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D20-EC42-11CE-9E0D-00AA006002F3/si"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; classtype:attempted-user; sid:7956; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Forms 2.0 ComboBox ActiveX clsid access"; flow:to_client,established; file_data; content:"8BD21D30-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D30-EC42-11CE-9E0D-00AA006002F3/si"; metadata:service http; reference:cve,1999-0384; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-001; classtype:attempted-user; sid:7954; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectAnimation Windowed Control ActiveX clsid access"; flow:to_client,established; file_data; content:"69AD90EF-1C20-11D1-8801-00C04FC29D46"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69AD90EF-1C20-11D1-8801-00C04FC29D46/si"; metadata:service http; classtype:attempted-user; sid:7952; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectAnimation Control ActiveX clsid access"; flow:to_client,established; file_data; content:"B6FFC24C-7E13-11D0-9B47-00C04FC2F51D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FFC24C-7E13-11D0-9B47-00C04FC2F51D/si"; metadata:service http; classtype:attempted-user; sid:7950; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Common Browser Architecture ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7948; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.MaskFilter ActiveX clsid access"; flow:to_client,established; file_data; content:"3A04D93B-1EDD-4F3F-A375-A03EC19572C4"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A04D93B-1EDD-4F3F-A375-A03EC19572C4/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7946; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer https Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E5-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E5-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q7)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7944; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer http Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E2-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E2-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7942; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Gradient ActiveX clsid access"; flow:to_client,established; file_data; content:"623E2882-FC0E-11D1-9A77-0000F8756A10"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*623E2882-FC0E-11D1-9A77-0000F8756A10/si"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; classtype:attempted-user; sid:7940; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer gopher Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E4-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E4-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7938; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Glow ActiveX clsid access"; flow:to_client,established; file_data; content:"9F8E6421-3D9B-11D2-952A-00C04FA34F05"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F8E6421-3D9B-11D2-952A-00C04FA34F05/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7936; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ftp Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E3-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E3-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7934; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FolderItems3 ActiveX clsid access"; flow:to_client,established; file_data; content:"53C74826-AB99-4D33-ACA4-3117F51D3788"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*53C74826-AB99-4D33-ACA4-3117F51D3788/si"; metadata:service http; classtype:attempted-user; sid:7932; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS FolderItem2 ActiveX clsid access"; flow:to_client,established; file_data; content:"FEF10FA2-355E-4E06-9381-9B24D7F7CC88"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FEF10FA2-355E-4E06-9381-9B24D7F7CC88/si"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7930; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer file or local Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"79EAC9E7-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E7-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q11)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7928; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXTFilter ActiveX clsid access"; flow:to_client,established; file_data; content:"385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD/si"; metadata:service http; classtype:attempted-user; sid:7926; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Shadow ActiveX clsid access"; flow:to_client,established; file_data; content:"E71B4063-3E59-11D2-952A-00C04FA34F05"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E71B4063-3E59-11D2-952A-00C04FA34F05/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7924; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.RevealTrans ActiveX clsid access"; flow:to_client,established; file_data; content:"E31E87C4-86EA-4940-9B8A-5BD5D179A737"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E31E87C4-86EA-4940-9B8A-5BD5D179A737/si"; metadata:service http; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; classtype:attempted-user; sid:7922; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DsPropertyPages.OU ActiveX clsid access"; flow:to_client,established; file_data; content:"F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6/si"; metadata:service http; classtype:attempted-user; sid:7920; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CoAxTrackVideo Class ActiveX clsid access"; flow:to_client,established; file_data; content:"1853E19A-4E54-4190-8DEB-2E1CC947CD60"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1853E19A-4E54-4190-8DEB-2E1CC947CD60/si"; metadata:service http; classtype:attempted-user; sid:7918; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CLSID_IMimeInternational ActiveX clsid access"; flow:to_client,established; file_data; content:"FD853CD9-7F86-11D0-8252-00C04FD85AB4"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD853CD9-7F86-11D0-8252-00C04FD85AB4/si"; metadata:service http; classtype:attempted-user; sid:7916; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.NDFXArtEffects ActiveX clsid access"; flow:to_client,established; file_data; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4C6F-AA96-4E4DC6DC291E/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7914; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DX3DTransform.Microsoft.Shapes ActiveX clsid access"; flow:to_client,established; file_data; content:"8241F015-84D3-11d2-97E6-0000F803FF7A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8241F015-84D3-11d2-97E6-0000F803FF7A/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7912; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.DropShadow ActiveX clsid access"; flow:to_client,established; file_data; content:"ADC6CB86-424C-11D2-952A-00C04FA34F05"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADC6CB86-424C-11D2-952A-00C04FA34F05/si"; metadata:service http; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7910; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DXImageTransform.Microsoft.Chroma ActiveX clsid access"; flow:to_client,established; file_data; content:"421516C1-3CF8-11D2-952A-00C04FA34F05"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*421516C1-3CF8-11D2-952A-00C04FA34F05\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,24188; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7908; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CDO.KnowledgeSearchFolder ActiveX clsid access"; flow:to_client,established; file_data; content:"CD00020C-8B95-11D1-82DB-00C04FB1625D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CD00020C-8B95-11D1-82DB-00C04FB1625D/si"; metadata:service http; classtype:attempted-user; sid:7906; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CDDBControlAOL.CDDBAOLControl ActiveX clsid access"; flow:to_client,established; file_data; content:"229B78D5-38F5-11D5-9001-00C04F4C3B9F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*229B78D5-38F5-11D5-9001-00C04F4C3B9F\s*}?\s*(?P=q9)(\s|>)/si"; metadata:service http; reference:bugtraq,23567; reference:cve,2006-3134; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:7902; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL.UPFCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"98BFD494-F6AD-4794-9038-832C0654CC43"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98BFD494-F6AD-4794-9038-832C0654CC43/si"; metadata:service http; classtype:attempted-user; sid:7900; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL.PicSsvrCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6/si"; metadata:service http; classtype:attempted-user; sid:7898; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"E0CB08CE-AB3D-4779-9C77-62A439BFE6C3"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0CB08CE-AB3D-4779-9C77-62A439BFE6C3/si"; metadata:service http; classtype:attempted-user; sid:7896; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL.PicDownloadCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"D670D0B3-05AB-4115-9F87-D983EF1AC747"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D670D0B3-05AB-4115-9F87-D983EF1AC747/si"; metadata:service http; classtype:attempted-user; sid:7894; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL Phobos Class ActiveX clsid access"; flow:to_client,established; file_data; content:"D9F99C6B-A3A6-11D4-AF64-444553546170"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D9F99C6B-A3A6-11D4-AF64-444553546170/si"; metadata:service http; classtype:attempted-user; sid:7892; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL.MemExpWz ActiveX clsid access"; flow:to_client,established; file_data; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; metadata:service http; classtype:attempted-user; sid:7890; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOLFlash.AOLFlash ActiveX clsid access"; flow:to_client,established; file_data; content:"C1145550-A454-11D4-9020-00D0B7239081"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C1145550-A454-11D4-9020-00D0B7239081/si"; metadata:service http; classtype:attempted-user; sid:7888; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AolCalSvr.ACDictionary ActiveX clsid access"; flow:to_client,established; file_data; content:"9F62797E-1249-4596-9FF7-AC6D851A542A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F62797E-1249-4596-9FF7-AC6D851A542A/si"; metadata:service http; classtype:attempted-user; sid:7886; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AolCalSvr.ACCalendarListCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"A8ABE123-FAC4-41C1-ABA3-051B6F112B83"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8ABE123-FAC4-41C1-ABA3-051B6F112B83/si"; metadata:service http; classtype:attempted-user; sid:7884; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AccSync.AccSubNotHandler ActiveX clsid access"; flow:to_client,established; file_data; content:"68A499C7-F9B0-11D2-93D4-00A0C981B035"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68A499C7-F9B0-11D2-93D4-00A0C981B035/si"; metadata:service http; classtype:attempted-user; sid:7882; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AxMetaStream.MetaStreamCtlSecondary ActiveX clsid access"; flow:to_client,established; file_data; content:"1B00725B-C455-4DE6-BFB6-AD540AD427CD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B00725B-C455-4DE6-BFB6-AD540AD427CD/si"; metadata:service http; classtype:attempted-user; sid:7880; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AxMetaStream.MetaStreamCtl ActiveX clsid access"; flow:to_client,established; file_data; content:"03F998B2-0E00-11D3-A498-00104B6EB52E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03F998B2-0E00-11D3-A498-00104B6EB52E/si"; metadata:service http; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7878; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office PivotTable 10.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E552-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E552-0000-0000-C000-000000000046/si"; metadata:service http; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:7874; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 9.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E533-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E533-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28136; reference:cve,2007-1201; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; reference:url,www.microsoft.com/technet/prodtechnol/office/office2000/proddocs/opg/part4/ch18.mspx; classtype:attempted-user; sid:7870; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ADODB.Recordset ActiveX clsid access"; flow:to_client,established; file_data; content:"00000535-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000535-0000-0010-8000-00AA006D2EA4/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7868; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ADODB.Connection ActiveX clsid access"; flow:established,to_client; file_data; content:"00000514-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000514-0000-0010-8000-00AA006D2EA4\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(Execute)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000514-0000-0010-8000-00AA006D2EA4\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\s*\.\s*(Execute))\s*=/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-5559; reference:url,archives.neohapsis.com/archives/ntbugtraq/2004-q4/0083.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-009; classtype:attempted-user; sid:7866; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mcafee Security Center McSubMgr.IsOldAppInstalled ActiveX function call access"; flow:to_client,established; file_data; content:"IsOldAppInstalled"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22IsOldAppInstalled\x22|\x27IsOldAppInstalled\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22IsOldAppInstalled\x22|\x27IsOldAppInstalled\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7863; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mcafee Security Center McSubMgr.IsAppExpired ActiveX function call access"; flow:to_client,established; file_data; content:"IsAppExpired"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22IsAppExpired\x22|\x27IsAppExpired\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22IsAppExpired\x22|\x27IsAppExpired\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7862; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; reference:bugtraq,19570; reference:cve,2006-4219; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14; classtype:attempted-user; sid:7502; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WM VIH2 Fix ActiveX clsid access"; flow:to_client,established; file_data; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7500; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WM TV Out Smooth Picture Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7498; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Volume ActiveX clsid access"; flow:to_client,established; file_data; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7496; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Virtual Source ActiveX clsid access"; flow:to_client,established; file_data; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7494; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Virtual Renderer ActiveX clsid access"; flow:to_client,established; file_data; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7492; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Switch Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7490; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Screen capture Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"31087270-D348-432C-899E-2D2F38FF29A0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7488; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Screen Capture Filter Task Page ActiveX clsid access"; flow:to_client,established; file_data; content:"679E132F-561B-42F8-846C-A70DBDC62999"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7486; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Sample Info Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7484; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT MuxDeMux Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"01002B17-5D93-4551-81E4-831FEF780A53"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7482; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Log Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7480; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Interlacer ActiveX clsid access"; flow:to_client,established; file_data; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7478; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Import Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7476; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT FormatConversion ActiveX clsid access"; flow:to_client,established; file_data; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7474; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT FormatConversion Prop Page ActiveX clsid access"; flow:to_client,established; file_data; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7472; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT DV Extract Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7470; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT DirectX Transform Wrapper ActiveX clsid access"; flow:to_client,established; file_data; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7468; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT DeInterlace Prop Page ActiveX clsid access"; flow:to_client,established; file_data; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7466; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT DeInterlace Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7464; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Black Frame Generator ActiveX clsid access"; flow:to_client,established; file_data; content:"2EA10031-0033-450E-8072-E27D9E768142"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7462; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMT Audio Analyzer ActiveX clsid access"; flow:to_client,established; file_data; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7460; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Wmm2fxb.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7458; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Wmm2fxa.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7456; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Wmm2ae.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7454; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WM Color Converter Filter ActiveX clsid access"; flow:to_client,established; file_data; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7452; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Stetch ActiveX clsid access"; flow:to_client,established; file_data; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7450; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ShotDetect ActiveX clsid access"; flow:to_client,established; file_data; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7448; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Record Queue ActiveX clsid access"; flow:to_client,established; file_data; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7446; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Mmedia.AsyncMHandler.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7444; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer mmAEPlugIn.AEPlugIn.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7442; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Help ActiveX clsid access"; flow:to_client,established; file_data; content:"52A2AAAE-085D-4187-97EA-8C30DB990436"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*52A2AAAE-085D-4187-97EA-8C30DB990436\s*}?\s*\1/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3357; reference:cve,2007-0214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-008; classtype:attempted-user; sid:7439; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Frame Eater ActiveX clsid access"; flow:to_client,established; file_data; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7437; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Dynamic Casts ActiveX function call"; flow:to_client,established; file_data; content:"DirectAnimation.DATuple"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7436; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectX Transform Wrapper Property Page ActiveX clsid access"; flow:to_client,established; file_data; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7433; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectFrame.DirectControl.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7431; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Bitmap ActiveX clsid access"; flow:to_client,established; file_data; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7429; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Allocator Fix ActiveX clsid access"; flow:to_client,established; file_data; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7427; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 9x8Resize ActiveX clsid access"; flow:to_client,established; file_data; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7425; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sysmon ActiveX function call access"; flow:to_client,established; file_data; content:"Sysmon"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Sysmon\x22|\x27Sysmon\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Sysmon\x22|\x27Sysmon\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7018; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access"; flow:to_client,established; file_data; content:"RDS.DataControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22RDS\.DataControl\x22|\x27RDS\.DataControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22RDS\.DataControl\x22|\x27RDS\.DataControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:bugtraq,18900; reference:cve,2006-3510; classtype:attempted-user; sid:7017; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access"; flow:to_client,established; file_data; content:"Object.Microsoft.DXTFilter"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Object\.Microsoft\.DXTFilter\x22|\x27Object\.Microsoft\.DXTFilter\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Object\.Microsoft\.DXTFilter\x22|\x27Object\.Microsoft\.DXTFilter\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:bugtraq,18903; reference:cve,2006-3512; classtype:attempted-dos; sid:7016; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer NMSA.MediaDescription ActiveX function call access"; flow:to_client,established; file_data; content:"NMSA.MediaDescription"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22NMSA\.MediaDescription\x22|\x27NMSA\.MediaDescription\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22NMSA\.MediaDescription\x22|\x27NMSA\.MediaDescription\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7015; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access"; flow:to_client,established; file_data; content:"NMSA.ASFSourceMediaDescription.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22NMSA\.ASFSourceMediaDescription\.1\x22|\x27NMSA\.ASFSourceMediaDescription\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22NMSA\.ASFSourceMediaDescription\.1\x22|\x27NMSA\.ASFSourceMediaDescription\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:bugtraq,19114; reference:cve,2006-3897; classtype:attempted-dos; sid:7014; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft.ISCatAdm ActiveX function call access"; flow:to_client,established; file_data; content:"Microsoft.ISCatAdm"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Microsoft\.ISCatAdm\x22|\x27Microsoft\.ISCatAdm\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Microsoft\.ISCatAdm\x22|\x27Microsoft\.ISCatAdm\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7013; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access"; flow:to_client,established; file_data; content:"Internet.PopupMenu.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Internet\.PopupMenu\.1\x22|\x27Internet\.PopupMenu\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Internet\.PopupMenu\.1\x22|\x27Internet\.PopupMenu\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7012; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access"; flow:to_client,established; file_data; content:"HtmlDlgSafeHelper.HtmlDlgSafeHelper"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22HtmlDlgSafeHelper\.HtmlDlgSafeHelper\x22|\x27HtmlDlgSafeHelper\.HtmlDlgSafeHelper\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22HtmlDlgSafeHelper\.HtmlDlgSafeHelper\x22|\x27HtmlDlgSafeHelper\.HtmlDlgSafeHelper\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7011; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access"; flow:to_client,established; file_data; content:"HtmlDlgSafeHelper.HtmlDlgSafeHelper.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22HtmlDlgSafeHelper\.HtmlDlgSafeHelper\.1\x22|\x27HtmlDlgSafeHelper\.HtmlDlgSafeHelper\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22HtmlDlgSafeHelper\.HtmlDlgSafeHelper\.1\x22|\x27HtmlDlgSafeHelper\.HtmlDlgSafeHelper\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7010; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DirectAnimation.DAUserData ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAUserData"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAUserData\x22|\x27DirectAnimation\.DAUserData\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAUserData\x22|\x27DirectAnimation\.DAUserData\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7008; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access"; flow:to_client,established; file_data; content:"AxDebugger.Document.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22AxDebugger\.Document\.1\x22|\x27AxDebugger\.Document\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22AxDebugger\.Document\.1\x22|\x27AxDebugger\.Document\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7007; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ASControls.InstallEngineCtl ActiveX function call access"; flow:to_client,established; file_data; content:"ASControls.InstallEngineCtl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; classtype:attempted-user; sid:7006; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access"; flow:to_client,established; file_data; content:"OutlookExpress.AddressBook"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OutlookExpress\.AddressBook\x22|\x27OutlookExpress\.AddressBook\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OutlookExpress\.AddressBook\x22|\x27OutlookExpress\.AddressBook\x27)\s*\)/smi"; metadata:service http; classtype:attempted-user; sid:7005; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ADODB.Recordset ActiveX function call access"; flow:to_client,established; file_data; content:"ADODB.Recordset"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ADODB\.Recordset\x22|\x27ADODB\.Recordset\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ADODB\.Recordset\x22|\x27ADODB\.Recordset\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7003; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access "; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"DXImageTransform.Microsoft.MMSpecialEffect1Input"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6687; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access"; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6686; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access"; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"353359C1-39E1-491B-9951-464FD8AB071C"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6684; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access "; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"DXImageTransform.Microsoft.MMSpecialEffect2Inputs"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6682; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access"; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6681; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.Light ActiveX clsid access"; flow:to_client,established; file_data; content:"F9EFBEC2-4302-11D2-952A-00C04FA34F05"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9EFBEC2-4302-11D2-952A-00C04FA34F05/si"; metadata:service http; reference:cve,2006-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6517; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.Light ActiveX function call access"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.Light"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform\.Microsoft\.Light\x22|\x27DXImageTransform\.Microsoft\.Light\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform\.Microsoft\.Light\x22|\x27DXImageTransform\.Microsoft\.Light\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:service http; reference:cve,2006-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6516; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DT DDS OrgChart GDD Route ActiveX object access"; flow:to_client,established; file_data; content:"4CECCEB2-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB2-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6008; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT DDS OrgChart GDD Layout ActiveX object access"; flow:to_client,established; file_data; content:"4CECCEB1-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB1-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6007; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT Icon Control ActiveX object access"; flow:to_client,established; file_data; content:"D24D4450-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4450-1F01-11D1-8E63-006097D2DF48/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6006; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT DDS Straight Line Routing Logic 2 ActiveX object access"; flow:to_client,established; file_data; content:"B0406343-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406343-B0C5-11d0-89A9-00A0C9054129/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6005; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT DDS Circular Auto Layout Logic 2 ActiveX object access"; flow:to_client,established; file_data; content:"B0406342-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406342-B0C5-11d0-89A9-00A0C9054129/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6004; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT DDS Rectilinear GDD Route ActiveX object access"; flow:to_client,established; file_data; content:"1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6003; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT DDS Rectilinear GDD Layout ActiveX object access"; flow:to_client,established; file_data; content:"1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:service http; reference:cve,2006-1186; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-013; classtype:attempted-user; sid:6002; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS mydailyhoroscope update or installation in progress"; flow:to_client,established; file_data; content:"07637823-C894-4A52-B3F9-5D77FD8E36A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07637823-C894-4A52-B3F9-5D77FD8E36A/si"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5799; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Adodb.Stream ActiveX object access"; flow:to_client,established; file_data; content:"00000566-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:service http; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:4982; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Shortcut Handler ActiveX object access"; flow:to_client,established; file_data; content:"00021401-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00021401-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4915; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Script Definition ActiveX object access"; flow:to_client,established; file_data; content:"D675E22B-CAE9-11D2-AF7B-00C04F99179F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D675E22B-CAE9-11D2-AF7B-00C04F99179F/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4914; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Workspace ActiveX object access"; flow:to_client,established; file_data; content:"B1D4ED44-EE64-11D0-97E6-00C04FC30B4A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1D4ED44-EE64-11D0-97E6-00C04FC30B4A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4913; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Root ActiveX object access"; flow:to_client,established; file_data; content:"6E22710F-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710F-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4912; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Type Library ActiveX object access"; flow:to_client,established; file_data; content:"6E22710E-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710E-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4911; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Relationship Definition ActiveX object access"; flow:to_client,established; file_data; content:"6E22710D-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710D-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4910; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Property Definition ActiveX object access"; flow:to_client,established; file_data; content:"6E22710C-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710C-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4909; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Method Definition ActiveX object access"; flow:to_client,established; file_data; content:"6E22710B-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710B-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4908; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Collection Definition ActiveX object access"; flow:to_client,established; file_data; content:"6E22710A-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710A-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4907; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Interface Definition ActiveX object access"; flow:to_client,established; file_data; content:"6E227109-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227109-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4906; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Object ActiveX object access"; flow:to_client,established; file_data; content:"6E2270FB-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E2270FB-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4905; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository Alias ActiveX object access"; flow:to_client,established; file_data; content:"62EC9F22-5E30-11D2-97A1-00C04FB6DD9A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*62EC9F22-5E30-11D2-97A1-00C04FB6DD9A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4904; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer VMR ImageSync 9 ActiveX object access"; flow:to_client,established; file_data; content:"E4979309-7A32-495E-8A92-7B014AAD4961"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E4979309-7A32-495E-8A92-7B014AAD4961/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4903; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Video Mixing Renderer 9 ActiveX object access"; flow:to_client,established; file_data; content:"51B4ABF3-748F-4E3B-A276-C828330E926A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*51B4ABF3-748F-4E3B-A276-C828330E926A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4902; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer VMR Allocator Presenter 9 ActiveX object access"; flow:to_client,established; file_data; content:"2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4901; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Outlook Progress Ctl ActiveX object access"; flow:to_client,established; file_data; content:"0006F071-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F071-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4900; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PSTypeComp ActiveX object access"; flow:to_client,established; file_data; content:"00020425-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020425-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4898; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PSOAInterface ActiveX object access"; flow:to_client,established; file_data; content:"00020424-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020424-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4897; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PSTypeLib ActiveX object access"; flow:to_client,established; file_data; content:"00020423-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020423-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4896; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PSTypeInfo ActiveX object access"; flow:to_client,established; file_data; content:"00020422-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020422-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4895; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PSEnumVariant ActiveX object access"; flow:to_client,established; file_data; content:"00020421-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020421-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4894; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Trident HTMLEditor ActiveX object access"; flow:to_client,established; file_data; content:"3050F4F5-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4F5-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4893; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MTSEvents Class ActiveX object access"; flow:to_client,established; file_data; content:"ECABB0AB-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0AB-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4892; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer cfw Class ActiveX object access"; flow:to_client,established; file_data; content:"ECABAFC0-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC0-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4891; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer IAVIStream & IAVIFile Proxy ActiveX object access"; flow:to_client,established; file_data; content:"0002000D-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002000D-0000-0000-C000-000000000046/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4890; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer wang image admin activex object access"; flow:to_client,established; file_data; content:"009541A0-3B81-101C-92F3-040224009C02"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*009541A0-3B81-101C-92F3-040224009C02/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4648; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access"; flow:to_client,established; file_data; content:"F0975AFE-5C7F-11D2-8B74-00104B2AFB41"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F0975AFE-5C7F-11D2-8B74-00104B2AFB41/si"; metadata:service http; reference:cve,2005-2127; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4236; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Helper Object for Java ActiveX object access"; flow:to_client,established; file_data; content:"8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4235; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSVTDGridCtrl7 ActiveX object access"; flow:to_client,established; file_data; content:"6F9F3481-84DD-4B14-B09C-6B4288ECCDE8"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6F9F3481-84DD-4B14-B09C-6B4288ECCDE8/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4234; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Visual Database Tools Query Designer v7.0 ActiveX object access"; flow:to_client,established; file_data; content:"2C10A98F-D64F-43B4-BED6-DD0E1BF2074C"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C10A98F-D64F-43B4-BED6-DD0E1BF2074C/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4233; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer SysTray Invoker ActiveX object access"; flow:to_client,established; file_data; content:"730F6CDC-2C86-11D2-8773-92E220524153"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*730F6CDC-2C86-11D2-8773-92E220524153/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4232; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer SysTray ActiveX object access"; flow:to_client,established; file_data; content:"35CEC8A3-2BE6-11D2-8773-92E220524153"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*35CEC8A3-2BE6-11D2-8773-92E220524153/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4231; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Search Assistant UI ActiveX object access"; flow:to_client,established; file_data; content:"47C6C527-6204-4F91-849D-66E234DEE015"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47C6C527-6204-4F91-849D-66E234DEE015/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4230; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSAPP Export Support for Office Access ActiveX object access"; flow:to_client,established; file_data; content:"98CB4060-D3E7-42A1-8D65-949D34EBFE14"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98CB4060-D3E7-42A1-8D65-949D34EBFE14/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4229; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Start Menu ActiveX object access"; flow:to_client,established; file_data; content:"4622AD11-FF23-11D0-8D34-00A0C90F2719"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4622AD11-FF23-11D0-8D34-00A0C90F2719/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4228; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Network Connections ActiveX object access"; flow:to_client,established; file_data; content:"7007ACC7-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACC7-3202-11D1-AAD2-00805FC1270E/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4227; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DocHost User Interface Handler ActiveX object access"; flow:to_client,established; file_data; content:"7057E952-BD1B-11D1-8919-00C04FC2C836"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7057E952-BD1B-11D1-8919-00C04FC2C836/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4226; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Repository ActiveX object access"; flow:to_client,established; file_data; content:"6E227101-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227101-F799-11CF-9227-00AA00A1EB95/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4225; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer VideoPort ActiveX object access"; flow:to_client,established; file_data; content:"CE292861-FC88-11D0-9E69-00C04FD7C15B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CE292861-FC88-11D0-9E69-00C04FD7C15B/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4224; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer OpenCable Class ActiveX object access"; flow:to_client,established; file_data; content:"ABBA001B-3075-11D6-88A4-00B0D0200F88"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ABBA001B-3075-11D6-88A4-00B0D0200F88/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4223; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Outllib.dll ActiveX object access"; flow:to_client,established; file_data; content:"0006F02A-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F02A-0000-0000-C000-000000000046/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4222; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ProxyStub Dispatch ActiveX object access"; flow:to_client,established; file_data; content:"00020420-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020420-0000-0000-C000-000000000046/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4221; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Network and Dial-Up Connections ActiveX object access"; flow:to_client,established; file_data; content:"992CFFA0-F557-101A-88EC-00DD010CCC48"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*992CFFA0-F557-101A-88EC-00DD010CCC48/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4220; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Network Connections Tray ActiveX object access"; flow:to_client,established; file_data; content:"7007ACCF-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACCF-3202-11D1-AAD2-00805FC1270E/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4219; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Microsoft Windows Visual Basic WebClass ActiveX object access"; flow:to_client,established; file_data; content:"6B7F1602-D44C-11D0-A7D9-AE3D17000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B7F1602-D44C-11D0-A7D9-AE3D17000000/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4218; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Services on the Web Free/Busy ActiveX object access"; flow:to_client,established; file_data; content:"F28D867A-DDB1-11D3-B8E8-00A0C981AEEB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F28D867A-DDB1-11D3-B8E8-00A0C981AEEB/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4217; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CLSID_CComAcctImport ActiveX object access"; flow:to_client,established; file_data; content:"1AA06BA1-0E88-11D1-8391-00C04FBD7C09"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1AA06BA1-0E88-11D1-8391-00C04FBD7C09/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4216; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HTML Popup Window ActiveX object access"; flow:to_client,established; file_data; content:"3050F667-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F667-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4215; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer TipGW Init ActiveX object access"; flow:to_client,established; file_data; content:"F117831B-C052-11D1-B1C0-00C04FC2F3EF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F117831B-C052-11D1-B1C0-00C04FC2F3EF/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4214; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Picture Shape Control ActiveX object access"; flow:to_client,established; file_data; content:"6CBE0382-A879-4D2A-8EC3-1F2A43611BA8"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6CBE0382-A879-4D2A-8EC3-1F2A43611BA8/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4213; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Generic Class ActiveX object access"; flow:to_client,established; file_data; content:"4FAAB301-CEF6-477C-9F58-F601039E9B78"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4FAAB301-CEF6-477C-9F58-F601039E9B78/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4212; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Library Shape Control ActiveX object access"; flow:to_client,established; file_data; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4211; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Msb1geen.dll ActiveX object access"; flow:to_client,established; file_data; content:"208DD6A3-E12B-4755-9607-2E39EF84CFC5"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*208DD6A3-E12B-4755-9607-2E39EF84CFC5/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4210; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LexRefStFrObject Class ActiveX object access"; flow:to_client,established; file_data; content:"B3E0E785-BD78-4366-9560-B7DABE2723BE"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B3E0E785-BD78-4366-9560-B7DABE2723BE/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4209; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LexRefStEsObject Class ActiveX object access"; flow:to_client,established; file_data; content:"4CFB5280-800B-4367-848F-5A13EBF27F1D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CFB5280-800B-4367-848F-5A13EBF27F1D/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4208; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Audio Decompressor Control Property Page ActiveX object access"; flow:to_client,established; file_data; content:"8FE7E181-BB96-11D2-A1CB-00609778EA66"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8FE7E181-BB96-11D2-A1CB-00609778EA66/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4207; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MPEG-4 Video Decompressor Property Page ActiveX object access"; flow:to_client,established; file_data; content:"598EBA02-B49A-11D2-A1C1-00609778EA66"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*598EBA02-B49A-11D2-A1C1-00609778EA66/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4206; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Visual Database Tools Database Designer v7.0 ActiveX object access"; flow:to_client,established; file_data; content:"03CB9467-FD9D-42A8-82F9-8615B4223E6E"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03CB9467-FD9D-42A8-82F9-8615B4223E6E/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4205; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DT PolyLine Control 2 ActiveX object access"; flow:to_client,established; file_data; content:"D24D4453-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4453-1F01-11D1-8E63-006097D2DF48/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4204; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Marquee Control ActiveX object access"; flow:to_client,established; file_data; content:"250770F3-6AF2-11CF-A915-008029E31FCD"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*250770F3-6AF2-11CF-A915-008029E31FCD/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4203; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows DirectAnimation ActiveX object access"; flow:to_client,established; file_data; content:"283807B8-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B8-2C60-11D0-A31D-00AA00B92C03/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4202; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Queued Components Recorder ActiveX object access"; flow:to_client,established; file_data; content:"ECABAFC2-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC2-7F19-11D2-978E-0000F8757E2A/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4201; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Index Server Scope Administration ActiveX object access"; flow:to_client,established; file_data; content:"3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4200; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Blnmgrps.dll ActiveX object access"; flow:to_client,established; file_data; content:"F27CE930-4CA3-11D1-AFF2-006097C9A284"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F27CE930-4CA3-11D1-AFF2-006097C9A284/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4199; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Blnmgrps.dll ActiveX object access"; flow:to_client,established; file_data; content:"BC5F1E51-5110-11D1-AFF5-006097C9A284"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC5F1E51-5110-11D1-AFF5-006097C9A284/si"; metadata:service http; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052; classtype:attempted-user; sid:4198; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DigWebX MSN ActiveX object access"; flow:to_client,established; file_data; content:"05E6787D-82D9-4D24-91DD-97FE8D199501"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05E6787D-82D9-4D24-91DD-97FE8D199501/si"; metadata:service http; reference:bugtraq,13946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4197; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kodak Image Editing ActiveX object access"; flow:to_client,established; file_data; content:"6D940280-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940280-9F11-11CE-83FD-02608C3EC08A/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4193; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer HHOpen ActiveX object access"; flow:to_client,established; file_data; content:"130D7743-5F5A-11D1-B676-00A0C9697233"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*130D7743-5F5A-11D1-B676-00A0C9697233/si"; metadata:service http; reference:bugtraq,669; reference:cve,1999-1577; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4192; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MsnPUpld ActiveX object access"; flow:to_client,established; file_data; content:"C3DFA998-A486-11d4-AA25-00C04F72DAEB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3DFA998-A486-11d4-AA25-00C04F72DAEB/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4191; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kodak Thumbnail Image ActiveX object access"; flow:to_client,established; file_data; content:"E1A6B8A0-3603-101C-AC6E-040224009C02"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E1A6B8A0-3603-101C-AC6E-040224009C02/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4190; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Third-Party Plugin ActiveX object access"; flow:to_client,established; file_data; content:"06DD38D3-D187-11CF-A80D-00C04FD74AD8"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06DD38D3-D187-11CF-A80D-00C04FD74AD8/si"; metadata:service http; reference:cve,2003-0233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-user; sid:4189; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer RAV Online Scanner ActiveX object access"; flow:to_client,established; file_data; content:"D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249/si"; metadata:service http; reference:bugtraq,11448; reference:cve,2004-0936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-048; classtype:attempted-user; sid:4188; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Terminal Services Advanced Client ActiveX object access"; flow:to_client,established; file_data; content:"791fa017-2de3-492e-acc5-53c67a2b94d0"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*791fa017-2de3-492e-acc5-53c67a2b94d0/si"; metadata:service http; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-046; classtype:attempted-user; sid:4187; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kodak Image Editing ActiveX object access"; flow:to_client,established; file_data; content:"6D940285-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940285-9F11-11CE-83FD-02608C3EC08A/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4186; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Terminal Services Advanced Client ActiveX object access"; flow:to_client,established; file_data; content:"1fb464c8-09bb-4017-a2f5-eb742f04392f"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1fb464c8-09bb-4017-a2f5-eb742f04392f/si"; metadata:service http; reference:bugtraq,5554; reference:cve,2002-0726; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-046; classtype:attempted-user; sid:4185; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Certificate Enrollment ActiveX object access"; flow:to_client,established; file_data; content:"43F8F289-7A20-11D0-8F06-00C04FC295E1"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*43F8F289-7A20-11D0-8F06-00C04FC295E1/si"; metadata:service http; reference:bugtraq,5593; reference:cve,2002-0699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-048; classtype:attempted-user; sid:4184; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows HTML Help ActiveX object access"; flow:to_client,established; file_data; content:"41B23C28-488E-4e5C-ACE2-BB0BBABE99E8"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41B23C28-488E-4e5C-ACE2-BB0BBABE99E8/si"; metadata:service http; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-026; classtype:attempted-user; sid:4183; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft MSN Chat v4.5, 4.6 ActiveX object access"; flow:to_client,established; file_data; content:"9088E688-063A-4806-A3DB-6522712FC061"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9088E688-063A-4806-A3DB-6522712FC061/si"; metadata:service http; reference:bugtraq,4707; reference:cve,2002-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-022; classtype:attempted-user; sid:4182; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Smartcard Enrollment ActiveX object access"; flow:to_client,established; file_data; content:"80CB7887-20DE-11D2-8D5C-00C04FC29D45"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80CB7887-20DE-11D2-8D5C-00C04FC29D45/si"; metadata:service http; reference:cve,2002-0699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-048; classtype:attempted-user; sid:4181; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Kodak Image Scan Control ActiveX object access"; flow:to_client,established; file_data; content:"84926CA0-2941-101C-816F-0E6013114B7F"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*84926CA0-2941-101C-816F-0E6013114B7F/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4180; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows DirectX Files Viewer ActiveX object access"; flow:to_client,established; file_data; content:"970C7E08-05A7-11D0-89AA-00A0C9054129"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*970C7E08-05A7-11D0-89AA-00A0C9054129/si"; metadata:service http; reference:bugtraq,5489; reference:cve,2002-0975; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-066; classtype:attempted-user; sid:4179; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office 2000 and 2002 Web Components Record Navigation Control ActiveX object access"; flow:to_client,established; file_data; content:"0002E531-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; metadata:service http; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:4178; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office 2000 and 2002 Web Components Chart ActiveX object access"; flow:to_client,established; file_data; content:"0002E500-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E500-0000-0000-C000-000000000046/si"; metadata:service http; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:4176; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office 2000/2002 Web Components PivotTable ActiveX object access"; flow:to_client,established; file_data; content:"0002E520-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E520-0000-0000-C000-000000000046/si"; metadata:service http; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:4175; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec RuFSI registry Information Class ActiveX object access"; flow:to_client,established; file_data; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; metadata:service http; reference:bugtraq,8008; reference:cve,2003-0470; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-048; classtype:attempted-user; sid:4174; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MsnPUpld ActiveX object access"; flow:to_client,established; file_data; content:"F107317A-A488-11d4-AA25-00C04F72DAEB"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F107317A-A488-11d4-AA25-00C04F72DAEB/si"; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4173; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Agent v1.5 ActiveX clsid access"; flow:to_client,established; file_data; content:"F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-1214; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:4172; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Registration Wizard ActiveX object access"; flow:to_client,established; file_data; content:"50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50E5E3D1-C07E-11D0-B9FD-00A0249F6B00/si"; metadata:service http; reference:bugtraq,671; reference:cve,1999-1578; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4171; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Active Setup ActiveX object access"; flow:to_client,established; file_data; content:"F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1/si"; metadata:service http; reference:bugtraq,667; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-037; classtype:attempted-user; sid:4169; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Shell Automation Service ActiveX object access"; flow:to_client,established; file_data; content:"13709620-C279-11CE-A49E-444553540000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; metadata:service http; reference:bugtraq,9335; reference:cve,2004-2291; classtype:attempted-user; sid:4168; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MSN Heartbeat ActiveX clsid access"; flow:to_client,established; file_data; content:"E5D419D6-A846-4514-9FAD-97E826C84822"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E5D419D6-A846-4514-9FAD-97E826C84822\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:bugtraq,11367; reference:cve,2004-0978; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:4167; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Image Control 1.0 ActiveX object access"; flow:to_client,established; file_data; content:"D4A97620-8E8F-11CF-93CD-00AA00C08FDF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D4A97620-8E8F-11CF-93CD-00AA00C08FDF/si"; metadata:service http; reference:bugtraq,12477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; classtype:attempted-user; sid:4165; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DigWebX MSN ActiveX object access"; flow:to_client,established; file_data; content:"13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653/si"; metadata:service http; reference:bugtraq,13946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4164; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DigWebX MSN ActiveX object access"; flow:to_client,established; file_data; content:"0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7/si"; metadata:service http; reference:bugtraq,13946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4163; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DigWebX MSN ActiveX object access"; flow:to_client,established; file_data; content:"72770C4F-967D-4517-982B-92D6B9015649"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72770C4F-967D-4517-982B-92D6B9015649/si"; metadata:service http; reference:bugtraq,13946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4162; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DigWebX MSN ActiveX object access"; flow:to_client,established; file_data; content:"FF2BBC4A-6881-4294-BE0C-17535B1FCCFA"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FF2BBC4A-6881-4294-BE0C-17535B1FCCFA/si"; metadata:service http; reference:bugtraq,13946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:4161; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Reporting Tool ActiveX object access"; flow:to_client,established; file_data; content:"167701E3-FDCF-11D0-A48E-006097C549FF"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*167701E3-FDCF-11D0-A48E-006097C549FF/si"; metadata:service http; reference:bugtraq,8454; reference:cve,2003-0530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-032; classtype:attempted-user; sid:4160; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Multimedia File Property Sheet ActiveX object access"; flow:to_client,established; file_data; content:"00022613-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00022613-0000-0000-C000-000000000046/si"; metadata:service http; reference:bugtraq,5094; reference:cve,2002-1984; classtype:attempted-user; sid:4159; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player Active Movie ActiveX object access"; flow:to_client,established; file_data; content:"05589FA1-C356-11CE-BF01-00AA0055595A"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05589FA1-C356-11CE-BF01-00AA0055595A/si"; metadata:service http; reference:bugtraq,1221; reference:cve,2000-0400; classtype:attempted-user; sid:4158; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MSN Setup BBS 4.71.0.10 ActiveX object access"; flow:to_client,established; file_data; content:"8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8F0F5093-0A70-11D0-BCA9-00C04FD85AA6/si"; metadata:service http; reference:bugtraq,668; reference:cve,1999-1484; classtype:attempted-user; sid:4157; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player 7+ ActiveX object access"; flow:to_client,established; file_data; content:"6BF52A52-394A-11D3-B153-00C04F79FAA6"; fast_pattern:only; content:".currentMedia"; nocase; content:".getItemInfo"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6BF52A52-394A-11D3-B153-00C04F79FAA6[^>]*?id\s*=\s*[\x22\x27]([^\x22\x27]*?)[\x22\x27].*?\1\.currentMedia/si"; metadata:service http; reference:bugtraq,12031; reference:bugtraq,12032; reference:bugtraq,2167; reference:cve,2001-0148; reference:cve,2004-1324; reference:cve,2004-1325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-015; classtype:attempted-user; sid:4156; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Active Setup ActiveX object access"; flow:to_client,established; file_data; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; metadata:service http; reference:bugtraq,775; reference:cve,2000-0329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-048; classtype:attempted-user; sid:4154; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Eyedog ActiveX object access"; flow:to_client,established; file_data; content:"06A7EC63-4E21-11D0-A112-00A0C90543AA"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06A7EC63-4E21-11D0-A112-00A0C90543AA/si"; metadata:service http; reference:bugtraq,619; reference:cve,1999-0669; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-032; classtype:attempted-user; sid:4153; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS System Monitor Source Properties ActiveX object access"; flow:to_client,established; file_data; content:"0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CF32AA1-7571-11D0-93C4-00AA00A3DDEA/si"; metadata:service http; reference:bugtraq,7384; classtype:attempted-user; sid:4151; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX function call access"; flow:to_client,established; file_data; content:"OVCtl.OVCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22OVCtl\.OVCtl\.1\x22|\x27OVCtl\.OVCtl\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OVCtl\.OVCtl\.1\x22|\x27OVCtl\.OVCtl\.1\x27)\s*\)/smi"; metadata:service http; reference:bugtraq,3025; reference:bugtraq,3026; reference:cve,2001-0538; reference:url,browserfun.blogspot.com/2006/07/mobb-20-ovctl-newdefaultitem.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-038; classtype:attempted-user; sid:4150; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ActiveLabel ActiveX object access"; flow:to_client,established; file_data; content:"99B42120-6EC7-11CF-A6C7-00AA00A47DD2"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99B42120-6EC7-11CF-A6C7-00AA00A47DD2/si"; metadata:service http; reference:bugtraq,5558; reference:cve,2002-0647; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-047; classtype:attempted-user; sid:4147; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Share Point Portal Services Log Sink ActiveX object access"; flow:to_client,established; file_data; content:"DE4735F3-7532-4895-93DC-9A10C4257173"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DE4735F3-7532-4895-93DC-9A10C4257173/si"; metadata:service http; reference:bugtraq,12646; reference:bugtraq,14515; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB837253; classtype:attempted-user; sid:4146; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access"; flow:to_client,established; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,8833; reference:cve,2003-0662; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-042; classtype:attempted-user; sid:4145; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-user; sid:2485; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Javadoc generated frame replacement attempt"; flow:to_server,established; content:"?//"; http_raw_uri; content:!"www.facebook.com"; http_uri; metadata:service http; reference:cve,2013-1571; classtype:attempted-user; sid:26994; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PcVue SVUIGrd.ocx ActiveX function call access"; flow:established,to_client; file_data; content:"SVUIGrdCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SVUIGrdCtrl(\.\d*)?\x22|\x27SVUIGrdCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SVUIGrdCtrl(\.\d*)?\x22|\x27SVUIGrdCtrl(\.\d*)?\x27)\s*\)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49795; reference:cve,2008-4915; classtype:attempted-user; sid:27112; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PcVue SVUIGrd.ocx ActiveX clsid access"; flow:established,to_client; file_data; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49795; reference:cve,2008-4915; classtype:attempted-user; sid:27111; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle document capture EMPOP3Lib ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F647CBE5-3C01-402A-B3F0-502A77054A24\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(DownloadSingleMessageToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F647CBE5-3C01-402A-B3F0-502A77054A24\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(DownloadSingleMessageToFile))/siO"; metadata:service http; reference:bugtraq,45851; reference:cve,2010-3591; classtype:attempted-user; sid:27179; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Chilkat Socket ActiveX clsid access"; flow:established,to_server; file_data; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B598BD0-AF50-48C6-B6A5-63261A48B054\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B598BD0-AF50-48C6-B6A5-63261A48B054\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveLastError))/siO"; metadata:service smtp; reference:bugtraq,32333; reference:cve,2008-6959; classtype:misc-attack; sid:27177; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Chilkat Socket ActiveX clsid access"; flow:established,to_server; file_data; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*474FCCCD-1B89-4D34-9E09-45807F23289C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*474FCCCD-1B89-4D34-9E09-45807F23289C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveLastError))/siO"; metadata:service smtp; reference:bugtraq,32333; reference:cve,2008-6959; classtype:misc-attack; sid:27176; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Socket ActiveX clsid access"; flow:established,to_client; file_data; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B598BD0-AF50-48C6-B6A5-63261A48B054\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B598BD0-AF50-48C6-B6A5-63261A48B054\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveLastError))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,32333; reference:cve,2008-6959; classtype:misc-attack; sid:27175; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Chilkat Socket ActiveX clsid access"; flow:established,to_client; file_data; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*474FCCCD-1B89-4D34-9E09-45807F23289C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveLastError)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*474FCCCD-1B89-4D34-9E09-45807F23289C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveLastError))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,32333; reference:cve,2008-6959; classtype:misc-attack; sid:27174; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco AnyConnect mobility client activex clsid access attempt"; flow:established,to_client; file_data; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; fast_pattern:only; metadata:service http; reference:bugtraq,48081; reference:cve,2011-2040; classtype:attempted-user; sid:27173; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DB Software Laboratory VImpX activex control ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; content:"LogFile"; distance:0; metadata:service http; reference:bugtraq,31907; reference:cve,2008-4749; reference:cve,2008-4750; classtype:attempted-user; sid:27219; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GeoVision LiveAudio ActiveX remote code execution attempt"; flow:to_client,established; file_data; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; fast_pattern:only; content:"GetAudioPlayingTime"; nocase; metadata:service http; reference:bugtraq,34115; reference:cve,2009-1092; classtype:attempted-user; sid:27209; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec WinFax Pro ActiveX heap buffer overflow attempt"; flow:to_client,established; file_data; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; fast_pattern:only; content:"AppendFax"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34766; reference:cve,2009-2570; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-008; classtype:attempted-user; sid:27208; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SigPlus Pro ActiveX clsid access"; flow:established,to_client; file_data; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; fast_pattern:only; content:".LCDWriteString"; pcre:"/LCDWriteString\x28(\d+\x2c){7}[\w\x2b^\x29]+/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-attack; sid:27207; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SigPlus Pro ActiveX clsid access"; flow:established,to_client; file_data; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; fast_pattern:only; content:".LCDWriteString"; pcre:"/LCDWriteString\x28(\d+\x2c){7}[^\x29]{1000,}/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-attack; sid:27206; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Media Services CallHTMLHelp ActiveX buffer overflow attempt"; flow:to_server,established; file_data; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; fast_pattern:only; content:"CallHTMLHelp"; nocase; metadata:service smtp; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,support.microsoft.com/kb/240797; classtype:attempted-user; sid:27205; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle document capture Actbar2.ocx ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; content:"SaveLayoutChanges"; distance:0; metadata:service http; reference:cve,2010-3591; classtype:attempted-user; sid:27223; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash.9 ActiveX function overflow attempt"; flow:to_client,established; file_data; content:"ShockwaveFlash.ShockwaveFlash.9"; fast_pattern:only; pcre:"/(?P\w+)\s*?=\s*?new\s*?ActiveXObject[\x28]\s*?[\x22\x27]ShockwaveFlash\.ShockwaveFlash\.9[\x22\x27]\s*?[\x29]\x3b.*?(?P\w+)\s*?=\s*?[\x22\x27]\s*?ftp\x3a[\x2f]{2}\s*?[\x22\x27]\s*?\x3b.*?(?P\w+)\s*?=\s*?[\x22\x27]\s*?[\w]{1,5}\s*?[\x22\x27]\s*?\x3b.*?while\s*?\x28\s*?(?P=b)\.length\s*?<=.*?[\x29]\s*?(?P=b)\s*?\x2b\s*?=\s*?(?P=b)\s*?\x3b.*?(?P=a)\.AllowScriptAccess\s*?=\s*?(?P=c)\s*?\x2b(?P=b)\s*?\x3b/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:27250; rev:3;) # alert tcp any any -> $HOME_NET 25 (msg:"BROWSER-PLUGINS PPMate PPMPlayer.dll ActiveX clsid access"; flow:established,to_server; file_data; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*StartURL|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.StartURL)/siO"; metadata:service smtp; reference:bugtraq,30246; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; classtype:attempted-user; sid:27283; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PPMate PPMPlayer.dll ActiveX clsid access"; flow:established,to_client; file_data; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*StartURL|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.StartURL)/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30246; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; classtype:attempted-user; sid:27282; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX function stringtoBinary access attempt"; flow:established,to_client; file_data; content:"CEnroll.CEnroll.2"; fast_pattern:only; pcre:"/(?P\w+)\s*?=\s*?new\s*?ActiveXObject[\x28]\s*?[\x22\x27]CEnroll\.CEnroll\.2.*?(?P\w+)\s*?=\s*?[\x22\x27].*?[\x22\x27]\s*?\x3b.*?while\s*?\x28\s*?(?P=b)\.length\s*?<=.*?[\x29]\s*?(?P=b)\s*?\x2b\s*?=\s*?(?P=b).*?(?P=a)\.stringToBinary\s*?\x28.*?(?P=b)\s*?\x29/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,19102; reference:cve,2006-3899; classtype:attempted-user; sid:27570; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Morovia Barcode ActiveX Professional arbitrary file overwrite attempt"; flow:established,to_client; file_data; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; content:".Save"; within:800; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23934; reference:cve,2007-2644; classtype:attempted-user; sid:27597; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-PLUGINS VMWare Remote Console format string code execution attempt"; flow:to_server,established; file_data; content:"VMware.web.WMwareRemoteConsole"; fast_pattern:only; content:"connect"; pcre:"/^\s*\x28.*\x22.*\x25\w.*\x22.*\x29/siOR"; metadata:service smtp; reference:cve,2009-3732; classtype:attempted-user; sid:27658; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-PLUGINS VMWare Remote Console format string code execution attempt"; flow:to_server,established; file_data; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; fast_pattern:only; content:"connect"; pcre:"/^\s*\x28.*\x22.*\x25\w.*\x22.*\x29/siOR"; metadata:service smtp; reference:cve,2009-3732; classtype:attempted-user; sid:27657; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare Remote Console format string code execution attempt"; flow:to_client,established; file_data; content:"VMware.web.WMwareRemoteConsole"; fast_pattern:only; content:"connect"; pcre:"/^\s*\x28.*\x22.*\x25\w.*\x22.*\x29/siOR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3732; classtype:attempted-user; sid:27656; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access"; flow:to_server,established; file_data; content:"67A5F8DC-1A4B-4D66-9F24-A704AD929EEE"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?67A5F8DC-1A4B-4D66-9F24-A704AD929EEE/i"; metadata:service smtp; reference:bugtraq,31752; reference:cve,2008-4385; reference:url,support.microsoft.com/kb/956391; reference:url,www.systemrequirementslab.com/bulletins/security_bulletin_1.html; classtype:attempted-user; sid:27763; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access"; flow:to_server,established; file_data; content:"00989888-BB72-4E31-A7C6-5F819C24D2F7"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?00989888-BB72-4E31-A7C6-5F819C24D2F7/i"; metadata:service smtp; reference:bugtraq,30861; reference:cve,2008-3878; classtype:attempted-user; sid:27762; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access"; flow:to_server,established; file_data; content:"Ultra.OfficeControl"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?Ultra\.OfficeControl/i"; metadata:service smtp; reference:bugtraq,30861; reference:cve,2008-3878; classtype:attempted-user; sid:27761; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access"; flow:to_client,established; file_data; content:"Ultra.OfficeControl"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?Ultra\.OfficeControl/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30861; reference:cve,2008-3878; classtype:attempted-user; sid:27760; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access"; flow:to_server,established; file_data; content:"MSMask.MaskEdBox"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?MSMask\.MaskEdBox/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:27758; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access"; flow:to_server,established; file_data; content:"C932BA85-4374-101B-A56C-00AA003668DC"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?C932BA85-4374-101B-A56C-00AA003668DC/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:27757; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BaoFeng Storm ActiveX control SetAttributeValue method buffer overflow attempt"; flow:to_client,established; file_data; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; fast_pattern:only; content:"SetAttributeValue"; nocase; metadata:service http; reference:bugtraq,34869; reference:cve,2009-1807; classtype:web-application-attack; sid:27745; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS BaoFeng Storm ActiveX control OnBeforeVideoDownload method buffer overflow attempt"; flow:to_client,established; file_data; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; fast_pattern:only; content:"OnBeforeVideoDownload"; nocase; metadata:service http; reference:bugtraq,34789; reference:cve,2009-1612; classtype:web-application-attack; sid:27744; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt"; flow:established,to_client; file_data; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5B8BE023-76A2-4F6D-8993-F7E588D79D98\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(CreateStore)|CreateStore.*?]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5B8BE023-76A2-4F6D-8993-F7E588D79D98\s*}?\s*(?P=q2))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,32722; reference:cve,2008-6447; classtype:attempted-user; sid:27743; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt"; flow:established,to_client; file_data; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(CreateStore)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0\s*}?\s*(?P=q2)).*?CreateStore/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,32722; reference:cve,2008-6447; classtype:attempted-user; sid:27742; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_server,established; file_data; content:"WMEnc.WMEncProfileManager"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?WMEnc\.WMEncProfileManager/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,31065; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:27800; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt"; flow:to_server,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?KeyHelp\.KeyScript/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,54215; reference:cve,2012-2515; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:27799; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"45e66957-2932-432a-a156-31503df0a681"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?45e66957-2932-432a-a156-31503df0a681/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,54215; reference:cve,2012-2515; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:27798; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access"; flow:to_server,established; file_data; content:"BIDIB.BIDIBCtrl"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?BIDIB\.BIDIBCtrl/i"; metadata:service smtp; reference:bugtraq,29577; reference:bugtraq,29579; reference:cve,2008-2683; reference:cve,2008-2684; classtype:attempted-user; sid:27795; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access"; flow:to_server,established; file_data; content:"79956462-F148-497F-B247-DF35A095F80B"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?79956462-F148-497F-B247-DF35A095F80B/i"; metadata:service smtp; reference:bugtraq,29577; reference:bugtraq,29579; reference:cve,2008-2683; reference:cve,2008-2684; classtype:attempted-user; sid:27794; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access"; flow:to_server,established; file_data; content:"Snapshot Viewer Control 10.0"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x22|\x27Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=v)\s*\.\s*(SnapshotPath|CompressedPath)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x22|\x27Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x27)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=n)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27793; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt"; flow:to_server,established; file_data; content:"snpvw.Snapshot Viewer Control"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27792; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27791; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27790; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27789; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Snapshot Viewer Control 10.0"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x22|\x27Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=v)\s*\.\s*(SnapshotPath|CompressedPath)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x22|\x27Snapshot\s*Viewer\s*Control\s*10(\.\d*)?\x27)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=n)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:27788; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access"; flow:to_server,established; file_data; content:"c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"; fast_pattern:only; content:"propDownloadUrl"; nocase; content:"propPostDownloadAction"; nocase; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61.*?value\s*?=\s*?[\x22\x27]?\s*?run/si"; metadata:service smtp; reference:bugtraq,29519; reference:cve,2008-2551; classtype:attempted-user; sid:27768; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access"; flow:to_client,established; file_data; content:"c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"; fast_pattern:only; content:"propDownloadUrl"; nocase; content:"propPostDownloadAction"; nocase; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61.*?value\s*?=\s*?[\x22\x27]?\s*?run/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29519; reference:cve,2008-2551; classtype:attempted-user; sid:27767; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Security Slider feature bypass attempt"; flow:to_client,established; file_data; content:""; fast_pattern:only; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1489; reference:url,www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html; classtype:attempted-user; sid:27766; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access"; flow:to_client,established; file_data; content:"shell.application"; fast_pattern:only; pcre:"/(new\s*ActiveXObject|CreateObject\s*)\([\x22\x27]shell.application/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,10652; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:21080; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WibuKey Runtime ActiveX function call access"; flow:established,to_client; file_data; content:"Wibukey.Wibukey"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Wibukey\.Wibukey(\.\d*)?\x22|\x27Wibukey\.Wibukey(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DisplayMessageDialog\s*|.*(?P=v)\s*\.\s*DisplayMessageDialog\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Wibukey\.Wibukey(\.\d*)?\x22|\x27Wibukey\.Wibukey(\.\d*)?\x27)\s*\)(\s*\.\s*DisplayMessageDialog\s*|.*(?P=n)\s*\.\s*DisplayMessageDialog\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:28127; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WibuKey Runtime ActiveX clsid access"; flow:established,to_client; file_data; content:"00010000-0000-1011-8002-0000C06B5161"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00010000-0000-1011-8002-0000C06B5161\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(DisplayMessageDialog)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00010000-0000-1011-8002-0000C06B5161\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(DisplayMessageDialog))/siO"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:28126; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java XML digital signature spoofing attempt"; flow:to_client, established; flowbits:isset,file.xml; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX function call access "; flow:to_client,established; flowbits:isnotset,file.msi; file_data; content:"DXImageTransform.Microsoft.MMSpecialEffectInplace1Input"; fast_pattern:only; metadata:service http; reference:bugtraq,18328; reference:cve,2006-1303; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:29037; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt"; flow:established,to_server; file_data; content:"XGO.XGoCtrl"; fast_pattern:only; metadata:service smtp; reference:bugtraq,55272; classtype:attempted-user; sid:29102; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern:only; metadata:service smtp; reference:bugtraq,55272; classtype:attempted-user; sid:29100; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt"; flow:established,to_client; file_data; content:"XGO.XGoCtrl"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,55272; classtype:attempted-user; sid:29098; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,55272; classtype:attempted-user; sid:29097; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft WBEM Event Subsystem ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29258; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer syncui.dll ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29257; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer clbcatq.dll ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29256; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer clbcatex.dll ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29255; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WaveOut and DSound Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29254; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WaveIn Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29253; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WIA FileSystem USD ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29252; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WDM Instance Provider ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29251; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Video Effect Class Manager 2 Input ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29250; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Video Effect Class Manager 1 Input ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29249; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer VFW Capture Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29248; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Swedish_Default Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29247; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Spanish_Modern Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29246; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ShellFolder for CD Burning ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29245; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer QC.MessageMover.1 ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29244; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer PostBootReminder object ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29243; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Mslablti.MarshalableTI.1 ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29242; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MidiOut Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29241; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Italian_Italian Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29240; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ISSimpleCommandCreator.1 ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29239; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ICM Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29238; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer German_German Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29237; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer French_French Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29236; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer English_US Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29235; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer English_UK Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29234; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Dutch_Dutch Stemmer ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29233; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DiskManagement.Connection ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29232; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Content.mbcontent.1 ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29231; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CommunicationManager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29230; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CLSID_CDIDeviceActionConfigPage ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29229; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CLSID_ApprenticeICW ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29228; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Address Bar ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29227; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ACM Class Manager ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29226; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft HTML Window Security Proxy ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29225; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Common Browser Architecture ActiveX clsid access"; flow:to_server,established; file_data; content:"clsid:AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:29224; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Sun Microsystems JRE isInstalled.dnsResolve function memory exception attempt"; flow:to_client,established; file_data; content:"5852F5ED-8BF4-11D4-A245-0080C6F74284"; fast_pattern:only; metadata:service http; reference:bugtraq,25734; reference:cve,2007-5019; classtype:attempted-user; sid:29578; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Message System ActiveX function call access"; flow:to_client,established; file_data; content:"UIAutomation"; content:"Messenger"; content:"MySigninName"; metadata:service http; reference:cve,2008-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-050; classtype:attempted-user; sid:29538; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; content:"AnnotationX.AnnList"; fast_pattern:only; content:"String.fromCharCode"; metadata:policy security-ips drop, service http; reference:bugtraq,52765; reference:cve,2012-5896; classtype:attempted-user; sid:29533; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingView ActiveX clsid access"; flow:to_client,established; file_data; content:"clsid:F31C42E3-CBF9-4E5C-BB95-521B4E85060D"; fast_pattern:only; content:"ValidateUser"; nocase; metadata:service http; reference:bugtraq,46757; reference:cve,2011-3142; reference:url,www.us-cert.gov/control_systems/pdf/ICSA-11-074-01.pdf; classtype:attempted-user; sid:29512; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"MSXML2."; fast_pattern:only; content:"file|3A 2F 2F 2F|C|3A|"; nocase; content:"\w+)\s*?=\s*?(new\s+ActiveX|Create)Object\s*?\x28\s*?[\x22\x27]MSXML2\x2e.*?(?P=obj)\.open\s*?\x28?\s*?[\x22\x27]GET[\x22\x27].*(?P=obj)\.send/si"; metadata:service smtp; reference:cve,2014-0266; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29681; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"MSXML2."; fast_pattern:only; content:"file|3A 2F 2F 2F|C|3A|"; nocase; content:"\w+)\s*?=\s*?(new\s+ActiveX|Create)Object\s*?\x28\s*?[\x22\x27]MSXML2\x2e.*?(?P=obj)\.open\s*?\x28?\s*?[\x22\x27]GET[\x22\x27].*(?P=obj)\.send/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0266; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29680; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SizerOne ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"24E04EBF-014D-471F-930E-7654B1193BA9"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33148; reference:cve,2008-4827; reference:cve,2012-5946; classtype:attempted-user; sid:29749; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_server,established; file_data; content:"2355C601-37D1-42B4-BEB1-03C773298DC8"; fast_pattern:only; metadata:policy security-ips alert, service smtp; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30053; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_client,established; file_data; content:"2355C601-37D1-42B4-BEB1-03C773298DC8"; fast_pattern:only; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30052; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_server,established; file_data; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; fast_pattern:only; metadata:policy security-ips alert, service smtp; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30051; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_client,established; file_data; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; fast_pattern:only; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30050; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_server,established; file_data; content:"Aztec.MW6Aztec"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30049; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_client,established; file_data; content:"Aztec.MW6Aztec"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:30048; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise Client for Windows ActiveX function call access"; flow:established,to_client; file_data; content:"MIME.MimeCtrl.1"; fast_pattern:only; content:"SecManageRecipientCertificates"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22MIME\.MimeCtrl(\.\d*)?\x22|\x27MIME\.MimeCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*(new\s*ActiveX|Create)Object\s*\(\s*(?P=c)\s*\)(\s*\.\s*SecManageRecipientCertificates\s*|.*(?P=v)\s*\.\s*SecManageRecipientCertificates\s*)|(?P\w+)\s*=\s*(new\s*ActiveX|Create)Object\s*\(\s*(\x22MIME\.MimeCtrl(\.\d*)?\x22|\x27MIME\.MimeCtrl(\.\d*)?\x27)\s*\)(\s*\.\s*SecManageRecipientCertificates\s*|.*(?P=n)\s*\.\s*SecManageRecipientCertificates\s*)/smi"; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0804; reference:url,www.novell.com/support/kb/doc.php?id=7011687; classtype:attempted-user; sid:30093; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise Client for Windows ActiveX clsid access"; flow:established,to_client; file_data; content:"BFEC5A01-1EB1-11D1-BC96-00805FC1C85A"; fast_pattern:only; content:"SecManageRecipientCertificates"; nocase; pcre:"/]*?id\s*=\s*[\x22\x27]?(?P\w+)[\x22\x27]?\s[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*{?\s*BFEC5A01-1EB1-11D1-BC96-00805FC1C85A\s*}?\s*[\x22\x27]?[\s>].*?(?P=id1)\.SecManageRecipientCertificates|]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*{?\s*BFEC5A01-1EB1-11D1-BC96-00805FC1C85A\s*}?\s*[\x22\x27]?\s[^>]*?id\s*=\s*[\x22\x27]?(?P\w+)[\x22\x27]?[\s>].*(?P=id2)\.SecManageRecipientCertificates|]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*{?\s*BFEC5A01-1EB1-11D1-BC96-00805FC1C85A\s*}?\s*[\x22\x27]?\s[^>]*?\.SecManageRecipientCertificates/si"; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0804; reference:url,www.novell.com/support/kb/doc.php?id=7011687; classtype:attempted-user; sid:30092; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Adobe Reader Extension race condition attempt"; flow:to_server,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; content:".messageHandler"; content:".postMessage"; within:50; content:".onError"; content:".onMessage"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31018; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Adobe Reader Extension race condition attempt"; flow:to_client,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; content:".messageHandler"; content:".postMessage"; within:50; content:".onError"; content:".onMessage"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31017; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free"; flow:to_server,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; content:".Clear|28 29|"; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\s*}?\s*(\x22|\x27|).*(?P=id1)\.Clear\(\)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\s*}?\s*(\x22|\x27|)[^>]*id\s*=\s*(\x22|\x27|)(?P.+?)(\x22|\x27|).*(?P=id2)\.Clear\(\))/siO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3754; classtype:attempted-user; sid:31044; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; fast_pattern:only; content:".Clear|28 29|"; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\s*}?\s*(\x22|\x27|).*(?P=id1)\.Clear\(\)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\s*}?\s*(\x22|\x27|)[^>]*id\s*=\s*(\x22|\x27|)(?P.+?)(\x22|\x27|).*(?P=id2)\.Clear\(\))/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3754; classtype:attempted-user; sid:31043; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access"; flow:established,to_server; file_data; content:"41E1E2E4-5715-45fa-8E86-7E9331A8769B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*41E1E2E4-5715-45fa-8E86-7E9331A8769B\s*(\x22|\x27|).*(?P=id1)\s*\.\s*(Attachment_Names|Import_Names)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*41E1E2E4-5715-45fa-8E86-7E9331A8769B\s*(\x22|\x27|).*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|).*(?P=id2)\.(Attachment_Names|Import_Names))/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3027; classtype:attempted-user; sid:31336; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access"; flow:established,to_client; file_data; content:"41E1E2E4-5715-45fa-8E86-7E9331A8769B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*41E1E2E4-5715-45fa-8E86-7E9331A8769B\s*(\x22|\x27|).*(?P=id1)\s*\.\s*(Attachment_Names|Import_Names)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*41E1E2E4-5715-45fa-8E86-7E9331A8769B\s*(\x22|\x27|).*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|).*(?P=id2)\.(Attachment_Names|Import_Names))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3027; classtype:attempted-user; sid:31335; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access"; flow:established,to_server; file_data; content:"CEF002D2-5A9F-4656-AA41-85DA2534ACBD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*CEF002D2-5A9F-4656-AA41-85DA2534ACBD\s*(\x22|\x27|).*(?P=id1)\s*\.\s*(Attachment_Names|Import_Names)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*CEF002D2-5A9F-4656-AA41-85DA2534ACBD\s*(\x22|\x27|).*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|).*(?P=id2)\.(Attachment_Names|Import_Names))/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3027; classtype:attempted-user; sid:31334; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access"; flow:established,to_client; file_data; content:"CEF002D2-5A9F-4656-AA41-85DA2534ACBD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|)[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*CEF002D2-5A9F-4656-AA41-85DA2534ACBD\s*(\x22|\x27|).*(?P=id1)\s*\.\s*(Attachment_Names|Import_Names)|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*CEF002D2-5A9F-4656-AA41-85DA2534ACBD\s*(\x22|\x27|).*id\s*=\s*(\x22|\x27|)(?P\w+)(\x22|\x27|).*(?P=id2)\.(Attachment_Names|Import_Names))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3027; classtype:attempted-user; sid:31333; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Adobe Reader 11 messageHandler ActiveX access attempt"; flow:to_server, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; content:".messageHandler"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31410; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Adobe Reader 11 messageHandler ActiveX access attempt"; flow:to_client, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; content:".messageHandler"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31409; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Adobe Reader 11 messageHandler ActiveX access attempt"; flow:to_server, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; content:".messageHandler"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31408; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Adobe Reader 11 messageHandler ActiveX access attempt"; flow:to_client, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; content:".messageHandler"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31407; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"09C282FE-7DE7-4697-9BE2-1C4F4DA825B3"; fast_pattern:only; content:".AcquireContext("; metadata:service smtp; reference:cve,2007-4903; classtype:attempted-user; sid:31539; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"09C282FE-7DE7-4697-9BE2-1C4F4DA825B3"; fast_pattern:only; content:".AcquireContext("; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-4903; classtype:attempted-user; sid:31538; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access"; flow:established,to_server; file_data; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*WriteOFXDataFile|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.WriteOFXDataFile)/siO"; metadata:service smtp; reference:bugtraq,28700; reference:cve,2008-1725; classtype:attempted-user; sid:31707; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access"; flow:to_server,established; file_data; content:"0002E551-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E551-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:31759; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access"; flow:to_server,established; file_data; content:"OWC10.Spreadsheet"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:31758; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_server,established; file_data; content:"OWC11.Spreadsheet"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:31757; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_server,established; file_data; content:"0002E559-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:31756; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt"; flow:to_server,established; file_data; content:"|BF E3 19 B0 C7 85 DC F5 FF FF E5 E7 3C 45 C7 85 E0 F5 FF FF A2 E4 D2 C1 C7 85 E4 F5 FF FF 8C A0|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71040; reference:cve,2014-8442; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32627; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt"; flow:to_client,established; file_data; content:"|BF E3 19 B0 C7 85 DC F5 FF FF E5 E7 3C 45 C7 85 E0 F5 FF FF A2 E4 D2 C1 C7 85 E4 F5 FF FF 8C A0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71040; reference:cve,2014-8442; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32626; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality ActiveX function call access"; flow:established,to_server; file_data; content:"TSS12.DscTools.FileChooserDlg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x22|\x27TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*onChangeDirectory\s*|.*(?P=v)\s*\.\s*onChangeDirectory\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x22|\x27TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x27)\s*\)(\s*\.\s*onChangeDirectory\s*|.*(?P=n)\s*\.\s*onChangeDirectory\s*)/smiO"; metadata:impact_flag red, service smtp; reference:cve,2014-2418; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:32635; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access"; flow:established,to_server; file_data; content:"4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*onChangeDirectory|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.onChangeDirectory)/siO"; metadata:impact_flag red, service smtp; reference:cve,2014-2418; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:32634; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality ActiveX function call access"; flow:established,to_client; file_data; content:"TSS12.DscTools.FileChooserDlg"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x22|\x27TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*onChangeDirectory\s*|.*(?P=v)\s*\.\s*onChangeDirectory\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x22|\x27TSS12\.DscTools\.FileChooserDlg(\.\d*)?\x27)\s*\)(\s*\.\s*onChangeDirectory\s*|.*(?P=n)\s*\.\s*onChangeDirectory\s*)/smiO"; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2418; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:32633; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access"; flow:established,to_client; file_data; content:"4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*onChangeDirectory|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4D4269FF-B0BE-4E7D-BDFF-96F0E651C06D\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.onChangeDirectory)/siO"; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2418; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:32632; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"0002E510-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E510-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,4453; reference:cve,2002-0860; reference:cve,2006-3868; reference:cve,2006-4695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:32642; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; fast_pattern:only; content:"Connect"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:32754; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt"; flow:to_server,established; file_data; content:"Pkmaxctl.VocabCtl"; nocase; content:"Pkmaxctl.VocabCtl"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:32844; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access"; flow:to_server,established; file_data; content:"8fe85d00-4647-40b9-87e4-5eb8a52f4759"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0811; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-034; classtype:attempted-user; sid:32843; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access"; flow:established,to_server; content:"1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0811; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-027; classtype:attempted-user; sid:32842; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access"; flow:established,to_server; file_data; content:"FB7199AB-79BF-11D2-8D94-0000F875C541"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FB7199AB-79BF-11D2-8D94-0000F875C541\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchIMUI)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FB7199AB-79BF-11D2-8D94-0000F875C541\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchIMUI))/siO"; metadata:service smtp; reference:cve,2011-1243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:32841; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access"; flow:established,to_client; content:"1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0811; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-027; classtype:attempted-user; sid:32840; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt"; flow:established,to_server; file_data; content:"TTF16.TTF1"; fast_pattern:only; pcre:"/(AttachToSS|CopyRange|SwapTables)/i"; metadata:service smtp; reference:cve,2014-2635; reference:cve,2014-2636; reference:cve,2014-2637; classtype:attempted-user; sid:32897; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"B0475003-7740-11D1-BDC3-0020AF9F8E6E"; fast_pattern:only; pcre:"/(AttachToSS|CopyRange|SwapTables)/i"; metadata:service smtp; reference:cve,2014-2635; reference:cve,2014-2636; reference:cve,2014-2637; classtype:attempted-user; sid:32896; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt"; flow:established,to_client; file_data; content:"TTF16.TTF1"; fast_pattern:only; pcre:"/(AttachToSS|CopyRange|SwapTables)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2635; reference:cve,2014-2636; reference:cve,2014-2637; classtype:attempted-user; sid:32895; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"B0475003-7740-11D1-BDC3-0020AF9F8E6E"; fast_pattern:only; pcre:"/(AttachToSS|CopyRange|SwapTables)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2635; reference:cve,2014-2636; reference:cve,2014-2637; classtype:attempted-user; sid:32894; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt"; flow:to_server,established; file_data; content:"PDWizard.PublicTools"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22PDWizard\.PublicTools(\.\d)?\x22|\x27PDWizard\.PublicTools(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=v)\s*\.\s*StartProcess\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.PublicTools(\.\d)?\x22|\x27PDWizard\.PublicTools(\.\d)?\x27)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=n)\s*\.\s*StartProcess\s*)/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:33045; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"0DDF3C0B-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(StartProcess)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(StartProcess))/siO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:33044; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt"; flow:to_server,established; file_data; content:"B43A0C1E-B63F-4691-B68F-CD807A45DA01"; fast_pattern:only; content:"StartRemoteDesktop"; content:"mstsc.exe"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-004; classtype:attempted-admin; sid:33052; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt"; flow:to_client,established; file_data; content:"B43A0C1E-B63F-4691-B68F-CD807A45DA01"; fast_pattern:only; content:"StartRemoteDesktop"; content:"mstsc.exe"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-004; classtype:attempted-admin; sid:33051; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Reflection.Ftp"; fast_pattern:only; content:"GetSiteProperties3"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69151; reference:cve,2014-0603; classtype:attempted-user; sid:33073; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"21B15F09-4B5F-11D3-A9B6-00C04FA3624C"; fast_pattern:only; content:"GetSiteProperties3"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69151; reference:cve,2014-0603; classtype:attempted-user; sid:33072; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Reflection.Ftp"; fast_pattern:only; content:"GetSiteProperties3"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69151; reference:cve,2014-0603; classtype:attempted-user; sid:33071; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"21B15F09-4B5F-11D3-A9B6-00C04FA3624C"; fast_pattern:only; content:"GetSiteProperties3"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69151; reference:cve,2014-0603; classtype:attempted-user; sid:33070; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"HWOPOS.Scale"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33112; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"864748BF-DC29-4CDD-AC51-9D489B900C99"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33111; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"HWOPOS.Scale"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33110; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"864748BF-DC29-4CDD-AC51-9D489B900C99"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33109; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"HWOPOS.Scanner"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33108; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"60AE66F2-D32B-4751-8BF9-A4889F1205F1"; fast_pattern:only; nocase; metadata:service smtp; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33107; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"HWOPOS.Scanner"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33106; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"60AE66F2-D32B-4751-8BF9-A4889F1205F1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71642; reference:cve,2014-8269; classtype:attempted-user; sid:33105; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS PTC IsoView ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ISOVIEWX.IsoV"; fast_pattern:only; pcre:"/(ViewPort|CountObjectAnimations|GetObjectAnimationFlags|GetObjectAnimationSequenceName)/i"; metadata:service smtp; reference:bugtraq,71491; reference:cve,2014-9267; classtype:attempted-user; sid:33103; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PTC IsoView ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ISOVIEWX.IsoV"; fast_pattern:only; pcre:"/(ViewPort|CountObjectAnimations|GetObjectAnimationFlags|GetObjectAnimationSequenceName)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71491; reference:cve,2014-9267; classtype:attempted-user; sid:33102; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS PTC IsoView ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"865B2280-2B71-11D1-BC01-006097AC382A"; fast_pattern:only; pcre:"/(ViewPort|CountObjectAnimations|GetObjectAnimationFlags|GetObjectAnimationSequenceName)/i"; metadata:service smtp; reference:bugtraq,71491; reference:cve,2014-9267; classtype:attempted-user; sid:33101; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS PTC IsoView ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"865B2280-2B71-11D1-BC01-006097AC382A"; fast_pattern:only; pcre:"/(ViewPort|CountObjectAnimations|GetObjectAnimationFlags|GetObjectAnimationSequenceName)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71491; reference:cve,2014-9267; classtype:attempted-user; sid:33100; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt"; flow:established,to_server; file_data; content:"Reflection.Ftp.3"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33175; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt"; flow:established,to_server; file_data; content:"Reflection.Ftp"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33174; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"21B15F09-4B5F-11D3-A9B6-00C04FA3624C"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33173; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt"; flow:established,to_client; file_data; content:"Reflection.Ftp.3"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33172; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"21B15F09-4B5F-11D3-A9B6-00C04FA3624C"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33171; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt"; flow:established,to_client; file_data; content:"Reflection.Ftp"; fast_pattern:only; content:".GetGlobalSettings"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0603; reference:url,support.attachmate.com/techdocs/2546.html; classtype:attempted-user; sid:33170; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt"; flow:to_client,established; file_data; content:"53230322-172B-11D0-AD40-00A0C90DC8D9"; fast_pattern:only; content:"call"; content:"Column("; distance:0; pcre:"/call.*\x2e(Add|Delete)Column\x28.*\x29/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0814; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:33548; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid=|22|clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:33579; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess webeye.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WEBEYE.WebEyeCtrl"; fast_pattern:only; content:"Connect"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,71193; reference:cve,2014-8388; classtype:attempted-user; sid:34017; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess webeye.ocx ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A8739816-022C-11D6-A85D-00C04F9AEAFB"; fast_pattern:only; content:"Connect"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,71193; reference:cve,2014-8388; classtype:attempted-user; sid:34016; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess webeye.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WEBEYE.WebEyeCtrl"; fast_pattern:only; content:"Connect"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71193; reference:cve,2014-8388; classtype:attempted-user; sid:34015; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess webeye.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A8739816-022C-11D6-A85D-00C04F9AEAFB"; fast_pattern:only; content:"Connect"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71193; reference:cve,2014-8388; classtype:attempted-user; sid:34014; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access"; flow:to_server,established; file_data; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; metadata:service smtp; reference:bugtraq,8833; reference:cve,2003-0662; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-042; classtype:attempted-user; sid:34298; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WESPPLAYBACK.WESPPlaybackCtrl"; fast_pattern:only; pcre:"/(PrintSiteImage|PlaySiteAllChannel|StopSiteAllChannel|SaveSiteImage)/i"; metadata:service smtp; reference:cve,2015-2094; classtype:attempted-user; sid:34457; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; pcre:"/(PrintSiteImage|PlaySiteAllChannel|StopSiteAllChannel|SaveSiteImage)/i"; metadata:service smtp; reference:cve,2015-2094; classtype:attempted-user; sid:34456; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WESPPLAYBACK.WESPPlaybackCtrl"; fast_pattern:only; pcre:"/(PrintSiteImage|PlaySiteAllChannel|StopSiteAllChannel|SaveSiteImage)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2094; classtype:attempted-user; sid:34455; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; pcre:"/(PrintSiteImage|PlaySiteAllChannel|StopSiteAllChannel|SaveSiteImage)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2094; classtype:attempted-user; sid:34454; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WESPMonitor.WESPMonitorCtrl"; fast_pattern:only; content:"LoadImage"; nocase; metadata:service smtp; reference:cve,2015-2097; classtype:attempted-user; sid:34451; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3"; fast_pattern:only; content:"LoadImage"; nocase; metadata:service smtp; reference:cve,2015-2097; classtype:attempted-user; sid:34450; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WESPMonitor.WESPMonitorCtrl"; fast_pattern:only; content:"LoadImage"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2097; classtype:attempted-user; sid:34449; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3"; fast_pattern:only; content:"LoadImage"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2097; classtype:attempted-user; sid:34448; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"8d9e2cc7-d94b-4977-8510-fb49c361a139"; fast_pattern:only; content:"WriteFileBinary"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-2370; classtype:attempted-user; sid:33014; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"8d9e2cc7-d94b-4977-8510-fb49c361a139"; fast_pattern:only; content:"WriteFileBinary"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2370; classtype:attempted-user; sid:33013; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"8AE9F829-D587-42BB-B5C1-09EE8D9547FA"; fast_pattern:only; content:"PEstrarg1"; content:"Array("; distance:0; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62585; classtype:attempted-user; sid:33004; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"8AE9F829-D587-42BB-B5C1-09EE8D9547FA"; fast_pattern:only; content:"PEstrarg1"; content:"String"; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62585; classtype:attempted-user; sid:33003; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access"; flow:established,to_client; file_data; content:"CheckOutAndOpen.Control"; fast_pattern:only; content:".coao|28|"; nocase; content:".hta"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59122; reference:cve,2013-1559; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-user; sid:32105; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access"; flow:established,to_client; file_data; content:"CheckOutAndOpen.Control"; fast_pattern:only; content:".openwebdav|28|"; nocase; content:".hta"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59122; reference:cve,2013-1559; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-user; sid:32104; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access"; flow:established,to_client; file_data; content:"A200D7A4-CA91-4165-9885-AB618A39B3F0"; fast_pattern:only; content:".coao|28|"; nocase; content:".hta"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59122; reference:cve,2013-1559; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-user; sid:32103; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access"; flow:established,to_client; file_data; content:"A200D7A4-CA91-4165-9885-AB618A39B3F0"; fast_pattern:only; content:".openwebdav|28|"; nocase; content:".hta"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59122; reference:cve,2013-1559; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-user; sid:32102; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Adobe Multiple Product AcroPDF.PDF ActiveX exploit attempt"; flow:to_server,established; file_data; content:"|6C 65 72 74 28 22 41 63 72 6F 62 61 74 20 76 65 72 73 69 6F 6E 20 35 2E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12989; reference:cve,2005-0035; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:31322; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Adobe Multiple Product AcroPDF.PDF ActiveX exploit attempt"; flow:to_server,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; content:"onClick=|22|checkversion|28|fn.value|29 22|"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12989; reference:bugtraq,21155; reference:cve,2005-0035; reference:cve,2006-6027; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:31321; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Adobe Multiple Product AcroPDF.PDF ActiveX exploit attempt"; flow:to_client,established; file_data; content:"|6C 65 72 74 28 22 41 63 72 6F 62 61 74 20 76 65 72 73 69 6F 6E 20 35 2E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12989; reference:cve,2005-0035; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:31320; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ChartFX.ClientServer ActiveX function call access"; flow:established,to_client; file_data; content:"Cfx62ClientSErver.Chart"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Cfx62ClientSErver\.Chart(\.\d*)?\x22|\x27Cfx62ClientSErver\.Chart(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Cfx62ClientSErver\.Chart(\.\d*)?\x22|\x27Cfx62ClientSErver\.Chart(\.\d*)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:29060; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ChartFX.ClientServer ActiveX clsid access"; flow:established,to_client; file_data; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9DF30CA-4B30-4235-BF0C-7150F646606C\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:29059; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"UnPrivateItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28789; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"UnCompleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28788; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"UnAlarmItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28787; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"SimpleDelete"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28786; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"SetEngine"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28785; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"PrivateItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28784; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"MoveItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28783; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28782; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeleteAndRetractItemEx"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28781; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeleteAndRetractItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28780; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeleteAllInstances"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28779; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeclineItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28778; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeclineAllInstancesEx"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28777; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"DeclineAllInstances"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28776; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"CompleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28775; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"ChangeItemDuration"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28774; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"ChangeItemAcceptLevel"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28773; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"AlarmItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28772; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"AcceptItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28771; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX function call access attempt"; flow:established,to_client; file_data; content:"CALSVR.GWCalServerCtrl.1"; fast_pattern:only; content:"AcceptAllInstances"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28770; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"DeleteAndRetractItemEx"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28769; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"DeleteAndRetractItem"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28768; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"DeleteAllInstances"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28767; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"DeclineAllInstancesEx"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28766; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"DeclineAllInstances"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28765; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"ChangeItemDuration"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28764; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"ChangeItemAcceptLevel"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28763; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; nocase; content:"AcceptAllInstances"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28762; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"UnPrivateItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28761; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"UnCompleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28760; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"UnAlarmItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28759; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"SimpleDelete"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28758; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"SetEngine"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28757; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"SetEngine"; nocase; content:"GetNXPItem"; within:60; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28756; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"PrivateItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28755; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"MoveItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28754; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"DeleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28753; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"DeclineItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28752; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"CompleteItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28751; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"AlarmItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28750; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell GroupWise ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"601D7813-408F-11D1-98D7-444553540000"; fast_pattern:only; content:"AcceptItem"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0439; classtype:attempted-user; sid:28749; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 7B 0B 78 1C 57 95 E6 A9 EA EE EA EA 6E 3D DC 92 AD 87 F5 6A C9 76 DC B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28584; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 59 7D 6C 1C C7 75 7F BB 77 B7 A4 28 F3 6A 52 92 49 C9 8A B4 A4 64 85 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28583; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 59 0B 6C 1C D5 15 BD 33 FB 73 9C 64 21 1B 12 3B 60 C8 78 03 64 63 92 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28582; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 7B 0B 78 1C 57 95 E6 A9 EA EE EA EA 6E 3D DC 92 AD 87 F5 6A C9 76 DC B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28581; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 59 7D 6C 1C C7 75 7F BB 77 B7 A4 28 F3 6A 52 92 49 C9 8A B4 A4 64 85 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28580; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 59 0B 6C 1C D5 15 BD 33 FB 73 9C 64 21 1B 12 3B 60 C8 78 03 64 63 92 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:28579; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS InformationCardSigninHelper ActiveX function call access"; flow:established,to_client; file_data; content:"InformationCardSigninHelper"; fast_pattern:only; content:".requiredClaims"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-090; classtype:attempted-user; sid:28506; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS InformationCardSigninHelper ActiveX clsid access"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; fast_pattern:only; content:".requiredClaims"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-090; classtype:attempted-user; sid:28505; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt"; flow:to_client,established; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59556; reference:cve,2012-5947; classtype:attempted-user; sid:28438; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt"; flow:to_client,established; file_data; content:"VSFlexGrid.VSFlexGridL"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59556; reference:cve,2012-5947; classtype:attempted-user; sid:28437; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"VSFlexGrid8.VSFlexGridL"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59557; reference:bugtraq,64095; reference:bugtraq,66116; reference:cve,2012-5945; reference:cve,2013-5057; reference:cve,2014-0895; classtype:attempted-user; sid:28436; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"0f026c11-5a66-4c2b-87b5-88ddebae72a1"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59557; reference:bugtraq,64095; reference:bugtraq,66116; reference:cve,2012-5945; reference:cve,2013-5057; reference:cve,2014-0895; classtype:attempted-user; sid:28435; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access"; flow:established,to_client; file_data; content:"NzQ1RTVGNS1EMjM0LTExRDAtODQ3QS0wMEMwNEZEN0JCMD"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45546; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:28351; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access"; flow:established,to_client; file_data; content:"NDVFNUY1LUQyMzQtMTFEMC04NDdBLTAwQzA0RkQ3QkIwOC"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45546; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:28350; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access"; flow:established,to_client; file_data; content:"%32%37%34%35%45%35%46%35%2d%44%32%33%34%2d%31%31%44%30%2d%38%34%37%41%2d%30%30%43%30%34%46%44%37%42%42%30%38"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45546; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:28349; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer htmlfile ActiveX object access attempt"; flow:to_server,established; file_data; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,1718; reference:bugtraq,49960; reference:cve,2001-0149; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-015; classtype:attempted-user; sid:28272; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt"; flow:to_server,established; file_data; content:"HP_LR_FileIOService"; fast_pattern:only; content:"WriteFileString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61443; reference:cve,2013-4798; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:27872; rev:10;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt"; flow:to_server,established; file_data; content:"8D9E2CC7-D94B-4977-8510-FB49C361A139"; fast_pattern:only; content:"WriteFileString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61443; reference:cve,2013-4798; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:27871; rev:10;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt"; flow:to_client,established; file_data; content:"HP_LR_FileIOService"; fast_pattern:only; content:"WriteFileString"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61443; reference:cve,2013-4798; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:27870; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt"; flow:to_client,established; file_data; content:"8D9E2CC7-D94B-4977-8510-FB49C361A139"; fast_pattern:only; content:"WriteFileString"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61443; reference:cve,2013-4798; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:27869; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access"; flow:to_server,established; file_data; content:"WebexUCFObject.WebexUCFObject"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?WebexUCFObject\.WebexUCFObject/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:27782; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access"; flow:to_server,established; file_data; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?32E26FD9-F435-4A20-A561-35D4B987CFDC/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:27781; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58134; reference:cve,2013-0108; classtype:attempted-user; sid:26573; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"MsTsAx.MsTsAx."; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26365; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"a9d7038d-b5ed-472e-9c47-94bea90a5910"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26364; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26363; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26362; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"54CE37E0-9834-41ae-9896-4DAB69DC022B"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26361; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"4EDCB26C-D24C-4e72-AF07-B576699AC0DE"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26360; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26359; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"7584c670-2274-4efb-b00b-d6aaba6d3850"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26358; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"971127BB-259F-48c2-BD75-5F97A3331551"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26357; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26356; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_client,established; file_data; content:"MsRDP.MsRDP."; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:26355; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58134; reference:cve,2013-0108; classtype:attempted-user; sid:26193; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt"; flow:to_client, established; isdataat:255; content:"CSEC:"; http_header; content:!"|0A|"; within:255; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48676; reference:cve,2011-2882; reference:url,support.citrix.com/article/CTX129902; classtype:attempted-user; sid:25344; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt"; flow:to_client, established; content:"|22|CLSID:181BCAB2-C89B-4E4B-9E6B-59FA67A426B5|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48676; reference:cve,2011-2882; reference:url,support.citrix.com/article/CTX129902; classtype:attempted-user; sid:25343; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS InduSoft ISSymbol InternationalSeparator heap overflow attempt"; flow:established,to_client; file_data; content:"InternationalSeparator"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*(3c9dff6f-5cb0-422e-9978-d6405d10718f|9A6AEBF9-E182-4BA9-BA75-1EE8A7651EC0)\s*}?\s*(?P=q1).*?(id\s*=\s*[\x22\x27](?P[^\x22\x27]+)[\x22\x27])?\s*[>\x2F](.*?(?P=id)\.InternationalSeparator\x28\s*[^\x29]{2}|\s*<\s*param[^>]*?name\s*=\s*[\x22\x27]InternationalSeparator[\x22\x27][^>]*?value\s*=\s*[\x22\x27][^\x22\x27]{2})/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0340; classtype:attempted-user; sid:25316; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt"; flow:established,to_client; file_data; content:"VSPrinter.VSPrinter"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VSPrinter\.VSPrinter(\.\d)?\x22|\x27VSPrinter\.VSPrinter(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveDoc|PrintFile)\s*?\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3})|.*(?P=v)\s*\.\s*(SaveDoc|PrintFile)\s*?\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3}))|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSPrinter\.VSPrinter(\.\d)?\x22|\x27VSPrinter\.VSPrinter(\.\d)?\x27)\s*\)(\s*\.\s*(SaveDoc|PrintFile)\s*?\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3})|.*(?P=n)\s*\.\s*(SaveDoc|PrintFile)\s*?\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3}))/smiO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,51448; reference:cve,2012-0189; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21577951; classtype:attempted-user; sid:25300; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt"; flow:established,to_client; file_data; content:"6E84D662-9599-11D2-9367-20CC03C10627"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E84D662-9599-11D2-9367-20CC03C10627\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveDoc|PrintFile)\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3})|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E84D662-9599-11D2-9367-20CC03C10627\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveDoc|PrintFile)\x28\s*?[\x22\x27]\s*?(c\x3a\/|(\.\.\/){3}))/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,51448; reference:cve,2012-0189; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21577951; classtype:attempted-user; sid:25299; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_server; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; content:"SetMarkupMode"; pcre:"/\x28\s*\w+\s*\x29/R"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0549; classtype:attempted-user; sid:25118; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_server; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"SetMarkupMode"; nocase; pcre:"/\x28\s*\w+\s*\x29/R"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0549; classtype:attempted-user; sid:25117; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_server; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; content:"SetMarkupMode"; isdataat:256,relative; pcre:"/\x28\s*[\x22\x27][^\x22\x27]{256}/R"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0549; classtype:attempted-user; sid:25116; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"SetMarkupMode"; nocase; isdataat:256,relative; pcre:"/\x28\s*[\x22\x27][^\x22\x27]{256}/R"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0549; classtype:attempted-user; sid:25115; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_client; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; content:"SetMarkupMode"; pcre:"/\x28\s*\w+\s*\x29/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0549; classtype:attempted-user; sid:25114; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_client; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"SetMarkupMode"; nocase; pcre:"/\x28\s*\w+\s*\x29/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0549; classtype:attempted-user; sid:25113; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt"; flow:established,to_client; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; content:"SetMarkupMode"; isdataat:256,relative; pcre:"/\x28\s*[\x22\x27][^\x22\x27]{256}/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0549; classtype:attempted-user; sid:25112; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"SetMarkupMode"; nocase; isdataat:256,relative; pcre:"/\x28\s*[\x22\x27][^\x22\x27]{256}/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0549; classtype:attempted-user; sid:25111; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight inheritance restriction bypass"; flow:to_client,established; flowbits:isset,file.zip&file.silverlight; file_data; content:"|BF 6F CA 12 A2 3A F4 07 05 F9 25 BE 68 26 D0 1E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1253; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-078; classtype:attempted-user; sid:25035; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ClearQuest session ActiveX control access"; flow:established,to_client; file_data; content:"CLEARQUEST.SESSION"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0708; classtype:attempted-user; sid:25005; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"934A9523-A3CA-4bc5-ADA0-D6D95D979421"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*934A9523-A3CA-4bc5-ADA0-D6D95D979421\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24963; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"743F1DC6-5ABA-)f-8BDF-C54D03253DC2"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*743F1DC6-5ABA-429f-8BDF-C54D03253DC2\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24962; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"743B5D60-628D-11D2-AE0F-006097B01411"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*743B5D60-628D-11D2-AE0F-006097B01411\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24961; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"6D4A3650-628D-11D2-AE0F-006097B01411"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6D4A3650-628D-11D2-AE0F-006097B01411\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24960; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"667955AD-6B3B-43ca-B949-BC69B5BAFF7F"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*667955AD-6B3B-43ca-B949-BC69B5BAFF7F\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24959; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"3B2B6775-70B6-45af-8DEA-A209C69559F3"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B2B6775-70B6-45af-8DEA-A209C69559F3\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24958; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access"; flow:established,to_client; file_data; content:"286F484D-375E-4458-A272-B138E2F80A6A"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*286F484D-375E-4458-A272-B138E2F80A6A\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-user; sid:24957; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ipswcom.IPSWComItf"; fast_pattern:only; pcre:"/(MsgBox|Alert)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4924; classtype:attempted-user; sid:24776; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; fast_pattern:only; pcre:"/(MsgBox|Alert)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4924; classtype:attempted-user; sid:24774; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access"; flow:established,to_client; file_data; content:"75aa409d-05f9-4f27-bd53-c7339d4b1d0a"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53879; reference:cve,2012-2175; reference:url,www.ibm.com/support/docview.wss?uid=swg21596862; classtype:attempted-user; sid:24773; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"a3cd4bf9-ec17-47a4-833c-50a324d6ff35"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1388; reference:cve,2011-1391; classtype:attempted-user; sid:24723; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX real parameter overflow attempt"; flow:to_client,established; file_data; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; content:"GetDriverSettings"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4321; reference:cve,2011-4187; classtype:attempted-user; sid:24676; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX realm parameter overflow attempt"; flow:to_client,established; file_data; content:"ienipp.Novell iPrint Control"; fast_pattern:only; content:"GetDriverSettings"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x22|\x27ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x22|\x27ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-4187; classtype:attempted-user; sid:24675; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A2282403-50DE-4A2E-A118-B90AEDB1ADCC"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2217; classtype:attempted-user; sid:24646; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"575B655F-FED4-4EE1-8F62-0A69D404F46B"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2217; classtype:attempted-user; sid:24645; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ShowPropertiesDialog ActiveX function call access"; flow:established,to_client; file_data; content:"Cfx62ClientServer.Chart"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Cfx62ClientServer\.Chart(\.\d)?\x22|\x27Cfx62ClientServer\.Chart(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*showpropertiesdialog\s*|.*(?P=v)\s*\.\s*showpropertiesdialog\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Cfx62ClientServer\.Chart(\.\d)?\x22|\x27Cfx62ClientServer\.Chart(\.\d)?\x27)\s*\)(\s*\.\s*showpropertiesdialog\s*|.*(?P=n)\s*\.\s*showpropertiesdialog\s*)/smiO"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:24560; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ShowPropertiesDialog ActiveX clsid access"; flow:established,to_client; file_data; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9DF30CA-4B30-4235-BF0C-7150F646606C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(showpropertiesdialog)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9DF30CA-4B30-4235-BF0C-7150F646606C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(showpropertiesdialog))/siO"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:24559; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Citrix Access Gateway plug-in buffer overflow attempt"; flow:to_client,established; isdataat:8192; content:"CSEC:"; http_header; content:!"|0A|"; within:8192; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,54754; reference:cve,2011-2592; reference:url,secunia.com/secunia_research/2012-27/; classtype:attempted-user; sid:24335; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco Secure Desktop CSDWebInstaller ActiveX clsid access"; flow:to_client,established; file_data; content:"705EC6D4-B138-4079-A307-EF13E4889A82"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*705EC6D4-B138-4079-A307-EF13E4889A82\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(url)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*705EC6D4-B138-4079-A307-EF13E4889A82\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(url))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46536; reference:cve,2011-0926; classtype:attempted-user; sid:24281; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"45e66957-2932-432a-a156-31503df0a681"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?45e66957-2932-432a-a156-31503df0a681/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54215; reference:cve,2012-2515; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:24196; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"7DD95802-9882-11CF-9FA9-00AA006C42C4"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24044; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"7DD95802-9882-11CF-9FA9-00AA006C42C4"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24043; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"6f255f99-6961-48dc-b17e-6e1bccbc0ee3"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24042; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6f255f99-6961-48dc-b17e-6e1bccbc0ee3"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24041; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"466576F3-19B6-4FF1-BD48-3E0E1BFB96E9"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24040; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access"; flow:established,to_server; file_data; content:"HPESPRIT.XMLCacheMgr"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:24039; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34931; reference:bugtraq,39346; reference:cve,2009-1671; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:23878; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"55253B08-0D11-4EAD-85AB-0069A52BACD4"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14801; reference:cve,2005-2996; classtype:attempted-user; sid:23414; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; fast_pattern:only; content:"Add"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52765; reference:cve,2012-5896; classtype:attempted-user; sid:23395; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9E065E4A-BD9D-4547-8F90-985DC62A5591"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9E065E4A-BD9D-4547-8F90-985DC62A5591\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40}))|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9E065E4A-BD9D-4547-8F90-985DC62A5591\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SetSource\(([^\; ]*?,){4}\s*?([^\x22\x27]+\s*?\)\; |(\x22|\x27)[^\x22\x27]{40})))/smiO"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0284; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:attempted-user; sid:23352; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; fast_pattern:only; content:".definition"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Cairo.SCBCroProject"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1709; classtype:attempted-user; sid:23284; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care XMLSimpleAccessor ActiveX function call access attempt"; flow:to_client,established; file_data; content:"HPESPRIT.XMLSimpleAccessor"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HPESPRIT\.XMLSimpleAccessor(\.\d)?\x22|\x27HPESPRIT\.XMLSimpleAccessor(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveXML|LoadXML)\s*|.*(?P=v)\s*\.\s*(SaveXML|LoadXML)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HPESPRIT\.XMLSimpleAccessor(\.\d)?\x22|\x27HPESPRIT\.XMLSimpleAccessor(\.\d)?\x27)\s*\)(\s*\.\s*(SaveXML|LoadXML)\s*|.*(?P=n)\s*\.\s*(SaveXML|LoadXML)\s*)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49100; reference:cve,2011-2404; classtype:attempted-user; sid:23253; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Webcenter ActiveX function call access"; flow:to_client,established; file_data; content:"SSSplitter.SSSplitter"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22SSSplitter\.SSSplitter(\.\d)?\x22|\x27SSSplitter\.SSSplitter(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SSSplitter\.SSSplitter(\.\d)?\x22|\x27SSSplitter\.SSSplitter(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1710; classtype:attempted-user; sid:23229; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Dell CrazyTalk.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"13149882-f480-4f6b-8c6a-0764f75b99ed"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*13149882-f480-4f6b-8c6a-0764f75b99ed\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(BackImage|ScriptName|ModelName|SRC)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*13149882-f480-4f6b-8c6a-0764f75b99ed\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(BackImage|ScriptName|ModelName|SRC))/siO"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:23186; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt"; flow:to_client,established; file_data; content:"05D96F71-87C6-11D3-9BE4-00902742D6E0"; fast_pattern:only; pcre:"/(Impor|Attachmen)t_Times/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53678; reference:cve,2012-2176; classtype:attempted-user; sid:23175; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Isig.isigCtl"; fast_pattern:only; content:"RunAndUploadFile"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0198; classtype:attempted-user; sid:21919; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"84B74E82-3475-420E-9949-773B4FB91771"; fast_pattern:only; content:"RunAndUploadFile"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0198; classtype:attempted-user; sid:21918; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs"; nocase; content:"MemberwiseClone"; distance:0; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call"; flow:to_client,established; file_data; content:"HPESPRIT.XMLSimpleAccessor.1"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51400; reference:cve,2011-2404; reference:cve,2011-4787; classtype:attempted-user; sid:21077; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access"; flow:to_client,established; file_data; content:"466576F3-19B6-4FF1-BD48-3E0E1BFB96E9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51400; reference:cve,2011-4787; classtype:attempted-user; sid:21076; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"HPESPRIT.XMLCacheMgr"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:21064; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"466576F3-19B6-4FF1-BD48-3E0E1BFB96E9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51396; reference:cve,2011-4786; classtype:attempted-user; sid:21063; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"7A758D94-E900-11D5-8467-00B0D023B202"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20834; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access"; flow:to_client,established; file_data; content:"3EEEBC9A-580F-46EF-81D9-55510266413D"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20709; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access"; flow:to_client,established; file_data; content:"466576F3-19B6-4FF1-BD48-3E0E1BFB96E9"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20708; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer defaulttime behavior attack attempt"; flow:to_client,established; file_data; content:"behavior"; nocase; content:"#default#time"; within:30; fast_pattern; nocase; content:!"2"; within:1; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-090; classtype:attempted-user; sid:20704; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX function call access"; flow:to_client,established; file_data; content:"ISGrid.Grid2"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ISGrid\.Grid2(\.\d)?\x22|\x27ISGrid\.Grid2(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DoFindReplace\s*|.*(?P=v)\s*\.\s*DoFindReplace\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ISGrid\.Grid2(\.\d)?\x22|\x27ISGrid\.Grid2(\.\d)?\x27)\s*\)(\s*\.\s*DoFindReplace\s*|.*(?P=n)\s*\.\s*DoFindReplace\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3174; classtype:attempted-user; sid:20592; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access"; flow:to_client,established; file_data; content:"c03aab45-221b-11d4-ab3a-00c04f09719c"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c03aab45-221b-11d4-ab3a-00c04f09719c\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoFindReplace)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c03aab45-221b-11d4-ab3a-00c04f09719c\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoFindReplace))/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3174; classtype:attempted-user; sid:20591; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight inheritance restriction bypass"; flow:to_client,established; file_data; content:"|C3 B0 6E 8B ED 68 DB 41 62 66 71 70 E7 30 B9 1B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1253; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-078; classtype:attempted-user; sid:20255; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell.RdpFileContents)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell.RdpFileContents))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1929; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:20175; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco AnyConnect ActiveX clsid access"; flow:to_client,established; file_data; content:"55963676-2f5e-4baf-ac28-cf26aa587566"; fast_pattern:only; content:"obj.url=str"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2039; reference:url,www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml; classtype:attempted-user; sid:19909; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"]+classid\s*=\s*(?P\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/]+(name\s*=\s*(?P\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco AnyConnect ActiveX clsid access"; flow:to_client,established; file_data; content:"55963676-2f5e-4baf-ac28-cf26aa587566"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*55963676-2f5e-4baf-ac28-cf26aa587566\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(url)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*55963676-2f5e-4baf-ac28-cf26aa587566\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2039; reference:url,www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml; classtype:attempted-user; sid:19650; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle EasyMail ActiveX function call access"; flow:to_client,established; file_data; content:"EasyMail.SMTP"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22EasyMail\.SMTP(\.\d)?\x22|\x27EasyMail\.SMTP(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative)\s*|.*(?P=v)\s*\.\s*(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EasyMail\.SMTP(\.\d)?\x22|\x27EasyMail\.SMTP(\.\d)?\x27)\s*\)(\s*\.\s*(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative)\s*|.*(?P=n)\s*\.\s*(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45849; reference:cve,2010-3595; classtype:attempted-user; sid:19305; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle EasyMail ActiveX clsid access"; flow:to_client,established; file_data; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ImportBodyText|ImportBodyTextEx|ImportBodyAlternative))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45849; reference:cve,2010-3595; classtype:attempted-user; sid:19304; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access"; flow:to_client,established; file_data; content:"XMLSecDB.DIParser"; fast_pattern:only; content:"SetXml"; content:"Save"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46539; reference:cve,2011-1036; classtype:attempted-user; sid:19198; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX clsid access"; flow:to_client,established; file_data; content:"F9864037-A609-4AE2-9022-BDC0198BDECF"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F9864037-A609-4AE2-9022-BDC0198BDECF\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetXml|Save)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F9864037-A609-4AE2-9022-BDC0198BDECF\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetXml|Save))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46539; reference:cve,2011-1036; classtype:attempted-user; sid:19197; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Document Capture ActiveX function call access"; flow:to_client,established; file_data; content:"NCSECWLib.NCSRenderer"; fast_pattern:only; content:"Sub WriteJPG"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45856; reference:cve,2010-3599; classtype:attempted-user; sid:19195; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Document Capture ActiveX function call access"; flow:to_client,established; file_data; content:"NCSECWLib.NCSRenderer"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22NCSECWLib\.NCSRenderer(\.\d)?\x22|\x27NCSECWLib\.NCSRenderer(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*WriteJPG\s*|.*(?P=v)\s*\.\s*WriteJPG\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCSECWLib\.NCSRenderer(\.\d)?\x22|\x27NCSECWLib\.NCSRenderer(\.\d)?\x27)\s*\)(\s*\.\s*WriteJPG\s*|.*(?P=n)\s*\.\s*WriteJPG\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45856; reference:cve,2010-3599; classtype:attempted-user; sid:19194; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Document Capture ActiveX clsid access"; flow:to_client,established; file_data; content:"D63891F1-E026-11D3-A6C3-005004055C6C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D63891F1-E026-11D3-A6C3-005004055C6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(WriteJPG)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D63891F1-E026-11D3-A6C3-005004055C6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(WriteJPG))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45856; reference:cve,2010-3599; classtype:attempted-user; sid:19193; rev:12;) # alert tcp $EXTERNAL_NET [$HTTP_PORTS,2000] -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro HouseCall ActiveX function call access"; flow:to_client,established; file_data; content:".extSetOwner"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3189; classtype:attempted-user; sid:19152; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro HouseCall ActiveX clsid access"; flow:to_client,established; file_data; content:"15dbc3f9-9f0a-472e-8061-043d9cec52f0"; fast_pattern:only; content:".extSetOwner"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3189; classtype:attempted-user; sid:19151; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX function call access"; flow:to_client,established; file_data; content:"Aventail.EPInstaller"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Aventail\.EPInstaller(\.\d)?\x22|\x27Aventail\.EPInstaller(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AuthCredential|ConfigurationString)\s*|.*(?P=v)\s*\.\s*(AuthCredential|ConfigurationString)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aventail\.EPInstaller(\.\d)?\x22|\x27Aventail\.EPInstaller(\.\d)?\x27)\s*\)(\s*\.\s*(AuthCredential|ConfigurationString)\s*|.*(?P=n)\s*\.\s*(AuthCredential|ConfigurationString)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:19109; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX clsid access"; flow:to_client,established; file_data; content:"A7BC4157-A8EC-488F-9808-C63E2ACB0996"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A7BC4157-A8EC-488F-9808-C63E2ACB0996\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AuthCredential|ConfigurationString)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A7BC4157-A8EC-488F-9808-C63E2ACB0996\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AuthCredential|ConfigurationString))/siO"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:19108; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec CLIProxy.dll ActiveX function call access"; flow:to_client,established; file_data; content:"cliproxy.objects"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22cliproxy\.objects(\.\d)?\x22|\x27cliproxy\.objects(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetRemoteComputerName\s*|.*(?P=v)\s*\.\s*SetRemoteComputerName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject.*(\x22cliproxy\.objects(\.\d)?\x22|\x27cliproxy\.objects(\.\d)?\x27)\s*\)(\s*\.\s*SetRemoteComputerName\s*|.*(?P=n)\s*\.\s*SetRemoteComputerName\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38222; reference:cve,2010-0108; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; classtype:attempted-user; sid:19103; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec CLIProxy.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"E381F1C0-910E-11D1-AB1E-00A0C90F8F6F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetRemoteComputerName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetRemoteComputerName))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38222; reference:cve,2010-0108; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; classtype:attempted-user; sid:19102; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX function call"; flow:to_client,established; file_data; content:"LEADRasterTwain.LEADRasterTwain"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42823; classtype:attempted-user; sid:19086; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42823; classtype:attempted-user; sid:19085; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP Crystal Reports PrintControl.dll ActiveX function call access"; flow:to_client,established; file_data; content:"CrystalReports12.CrystalPrintControl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CrystalReports12\.CrystalPrintControl(\.\d)?\x22|\x27CrystalReports12\.CrystalPrintControl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ServerResourceVersion\s*|.*(?P=v)\s*\.\s*ServerResourceVersion\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CrystalReports12\.CrystalPrintControl(\.\d)?\x22|\x27CrystalReports12\.CrystalPrintControl(\.\d)?\x27)\s*\)(\s*\.\s*ServerResourceVersion\s*|.*(?P=n)\s*\.\s*ServerResourceVersion)\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45387; reference:cve,2010-2590; classtype:attempted-user; sid:18975; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP Crystal Reports PrintControl.dll ActiveX function call attempt"; flow:to_client,established; file_data; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; fast_pattern:only; content:".ServerResourceVersion"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45387; reference:cve,2010-2590; classtype:attempted-user; sid:18974; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access"; flow:established,to_client; file_data; content:"FB7199AB-79BF-11D2-8D94-0000F875C541"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FB7199AB-79BF-11D2-8D94-0000F875C541\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchIMUI)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FB7199AB-79BF-11D2-8D94-0000F875C541\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchIMUI))/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18668; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|"; distance:0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro Web Deployment ActiveX clsid access"; flow:to_client,established; file_data; content:"5EFE8CB1-D095-11D1-88FC-0080C859833B"; nocase; content:"AAAAAAAAAAAA"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30407; reference:cve,2008-3364; classtype:attempted-user; sid:18595; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Trend Micro Web Deployment ActiveX clsid access"; flow:to_client,established; file_data; content:"5EFE8CB1-D095-11D1-88FC-0080C859833B"; nocase; content:"unescape|28|"; distance:0; nocase; content:"%u"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30407; reference:cve,2008-3364; classtype:attempted-user; sid:18594; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Music Jukebox ActiveX exploit"; flow:to_client,established; file_data; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27579; reference:cve,2008-0625; classtype:attempted-user; sid:18592; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; content:"cdda|3A 2F 2F|"; nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"poc|2E|avi"; fast_pattern:only; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + "; nocase; content:"sBoF"; within:20; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:18245; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45546; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18241; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt"; flow:to_client,established; file_data; content:"Pkmaxctl.VocabCtl"; nocase; content:"Pkmaxctl.VocabCtl"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18199; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt"; flow:to_client,established; file_data; content:"0E92978A-036B-4353-AFE1-7A8F2129C6C3"; nocase; content:"Pkmaxctl.VocabCtl"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18198; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt"; flow:to_client,established; file_data; content:"0E92978A-036B-4353-AFE1-7A8F2129C6C3"; nocase; content:"0E92978A-036B-4353-AFE1-7A8F2129C6C3"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18197; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare Remote Console format string code execution attempt"; flow:to_client,established; file_data; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; fast_pattern:only; content:"connect"; pcre:"/^\s*\x28.*\x22.*\x25\w.*\x22.*\x29/siOR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-3732; classtype:attempted-user; sid:18097; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access"; flow:to_client,established; file_data; content:"AE24FDAE-03C6-11D1-8B76-0080C744F389"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17772; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5"; nocase; content:"targetObject.OpenWebFile|28|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Install Engine ActiveX clsid access"; flow:to_client,established; file_data; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E449683-C509-11CF-AAFA-00AA00B6015C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BaseUrl|SetCifFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E449683-C509-11CF-AAFA-00AA00B6015C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(BaseUrl|SetCifFile))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11366; reference:cve,2004-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; classtype:attempted-user; sid:17588; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Adobe Multiple Product AcroPDF.PDF ActiveX exploit attempt"; flow:to_client,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; content:"onClick=|22|checkversion|28|fn.value|29 22|"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12989; reference:bugtraq,21155; reference:cve,2005-0035; reference:cve,2006-6027; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:17587; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton AntiVirus CcErrDisp ActiveX function call access"; flow:to_client,established; file_data; content:"CcErrDsp.ErrorDisplay"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22CcErrDsp\.ErrorDisplay(\.\d)?\x22|\x27CcErrDsp\.ErrorDisplay(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DisplayError\s*|.*(?P=v)\s*\.\s*DisplayError\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CcErrDsp\.ErrorDisplay(\.\d)?\x22|\x27CcErrDsp\.ErrorDisplay(\.\d)?\x27)\s*\)(\s*\.\s*DisplayError\s*|.*(?P=n)\s*\.\s*DisplayError\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12175; classtype:attempted-user; sid:17582; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SizerOne ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"24E04EBF-014D-471F-930E-7654B1193BA9"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33148; reference:cve,2008-4827; reference:cve,2012-5946; classtype:attempted-user; sid:17575; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|"; nocase; content:"unescape|28|"; within:20; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-3558; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:17571; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX operation parameter overflow"; flow:to_client,established; file_data; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; pcre:"/]*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q1)(\s|>).*?]+?value\s*=\s*[^\s][^\x22\x27\s]{512}/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27939; reference:bugtraq,29736; reference:bugtraq,30813; reference:bugtraq,30986; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2432; reference:cve,2008-2908; reference:url,secunia.com/advisories/40782; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:17557; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; content:"E9880553-B8A7-4960-A668-95C68BED571E"; fast_pattern:only; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll"; nocase; content:"General_ServerName"; nocase; content:!">"; within:1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access 7 ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E008A543-CEFB-4559-912F-C27C2B89F13B"; fast_pattern:only; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:17466; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; content:"Import"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26130; reference:bugtraq,30379; reference:cve,2007-5601; reference:cve,2008-3066; classtype:attempted-user; sid:17425; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Liquid XML Studio ActiveX function call access"; flow:to_client,established; file_data; content:"LtXmlComHelp8.UnicodeFile"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22LtXmlComHelp8\.UnicodeFile(\.\d)?\x22|\x27LtXmlComHelp8\.UnicodeFile(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenFile\s*|.*(?P=v)\s*\.\s*OpenFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LtXmlComHelp8\.UnicodeFile(\.\d)?\x22|\x27LtXmlComHelp8\.UnicodeFile(\.\d)?\x27)\s*\)(\s*\.\s*OpenFile\s*|.*(?P=n)\s*\.\s*OpenFile\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17163; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access"; flow:to_client,established; file_data; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E68E401C-7DB0-4F3A-88E1-159882468A79\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E68E401C-7DB0-4F3A-88E1-159882468A79\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenFile))/siO"; metadata:policy max-detect-ips drop, service http; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17161; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|E68E401C-7DB0-4F3A-88E1-159882468A79|27|"; content:"defer>"; within:100; content:".OpenFile("; distance:0; metadata:policy max-detect-ips drop, service http; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17160; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; fast_pattern:only; pcre:"/(installAppMgr|upgradeAsNeeded)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33247; reference:cve,2008-4388; classtype:attempted-user; sid:17051; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt"; flow:to_client,established; file_data; content:"4D2F086C-6EA3-101B-A18A-00AA00446E07"; nocase; content:"53230327-172B-11D0-AD40-00A0C90DC8D9"; distance:0; nocase; content:"6BC0989F-0CE6-11D1-BAAE-00C04FC2E20D"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0814; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17037; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EMC Captiva QuickScan Pro ActiveX clsid access"; flow:to_client,established; file_data; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(JumpURL|JumpMappedID)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(JumpURL|JumpMappedID))\s*\(/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,36546; reference:cve,2012-2515; classtype:attempted-user; sid:16772; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA BrightStor ListCtrl ActiveX control access"; flow:to_client,established; file_data; content:"classid|3D 22|clsid|3A|BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:16675; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; fast_pattern:only; content:"unescape|28|"; content:"|25|u"; within:5; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access ActiveX exploit attempt"; flow:to_client,established; file_data; content:"classid=|27|clsid|3A|E008A543-CEFB-4559-912F-C27C2B89F13B|27|"; fast_pattern:only; content:"classid=|27|clsid|3A|3BFFE033-BF43-11D5-A271-00A024A51325|27|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:16671; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access"; flow:to_client,established; file_data; content:"8fe85d00-4647-40b9-87e4-5eb8a52f4759"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0811; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-034; classtype:attempted-user; sid:16635; rev:13;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access"; flow:to_server,established; file_data; content:"LPViewer.LPViewer.1"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]\s*?LPViewer\.LPViewer\.1/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode"; flow:to_client,established; file_data; content:"ActiveXObject|28|"; nocase; content:"String.fromCharCode|28|"; fast_pattern; nocase; pcre:"/new\s*ActiveXObject\(\s*String\.fromCharCode\(/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx; classtype:attempted-user; sid:16574; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"SendPlayStateChangeEvents"; fast_pattern:only; content:"event=|22|playStateChange|28|state|29 22|>onstatechange"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"TDCCtl.TDCCtl"; distance:0; fast_pattern; nocase; content:"DataURL"; nocase; pcre:"/(?P[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; fast_pattern:only; content:"DataURL"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Script Host Shell Object ActiveX clsid access"; flow:to_client,established; file_data; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/11457; classtype:attempted-user; sid:16424; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Data Analyzer 3.5 ActiveX clsid access"; flow:to_client,established; file_data; content:"E0ECA9C3-D669-4EF4-8231-00724ED9288F"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E0ECA9C3-D669-4EF4-8231-00724ED9288F\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-008; classtype:attempted-user; sid:16419; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NOS Microsystems Adobe atl_getcom ActiveX clsid access"; flow:to_client,established; file_data; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7\s*}?\s*(?P=q1)(\s|>)/siO"; content:"]+name\s*=\s*(?P\x22|\x27|)\s*(Service-Url|ItemID|Language)\s*(?P=q2)\s+value\s*=\s*[\x22\x27]?[^\x22\x27\s]{200}/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37759; reference:cve,2009-3958; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:16371; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Core XML core services XMLHTTP control open method code execution attempt"; flow:to_client,established; file_data; content:"var xmlhttp=new ActiveXObject|28 22|Msxml2.XMLHTTP.4.0|22 29|"; content:"try{ xmlhttp.open|28 22 5C|0t|22|, |22|test.html|22 29 3B| } catch|28|e|29| {}|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20915; reference:cve,2006-5745; classtype:attempted-user; sid:16090; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1929; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1929; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E512-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E512-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(htmlurl)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E512-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(htmlurl))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1534; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15858; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15672; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35558; reference:cve,2008-0015; reference:cve,2009-0901; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; classtype:attempted-user; sid:15670; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Video 32 ActiveX clsid access"; flow:to_client,established; file_data; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B0EDF163-910A-11D2-B632-00C04F79498E\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0015; reference:cve,2009-2493; reference:cve,2009-2494; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:15638; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Barcode.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"14D09688-CFA7-11D5-995A-005004CE563B"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:15266; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AXIS Camera ActiveX clsid access"; flow:to_client,established; file_data; content:"917623D1-D8E5-11D2-BE8B-00104B06BDE3"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917623D1-D8E5-11D2-BE8B-00104B06BDE3\s*}?\s*(?P=q1)(\s|>)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33408; reference:cve,2008-5260; classtype:attempted-user; sid:15243; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SizerOne ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2315B059-EDD7-4C66-933C-ECFF5B9DD593"; fast_pattern:only; content:"AddTab"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:15192; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Shell.Explorer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"8856F961-340A-11D0-A96B-00C04FD705A2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8856F961-340A-11D0-A96B-00C04FD705A2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Navigate|Navigate2)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8856F961-340A-11D0-A96B-00C04FD705A2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Navigate|Navigate2))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15122; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"classid="; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E"; within:200; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"5b7524c8-2446-40e9-9474-94a779dba224"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5b7524c8-2446-40e9-9474-94a779dba224\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(ExecuteRemote)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5b7524c8-2446-40e9-9474-94a779dba224\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(ExecuteRemote))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14764; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access"; flow:to_client,established; file_data; content:"3F0EECCE-E138-11D1-8712-0060083D83F5"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?3F0EECCE-E138-11D1-8712-0060083D83F5/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:14760; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|]*\s*classid\s*=\s*(?P\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|\x27|\x26\x23039\x3b|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|]*\s*classid\s*=\s*(?P\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|\x26\x23039\x3b|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?A8D3AD02-7508-4004-B2E9-AD33F087F43C/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31065; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:14;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Novell iPrint ActiveX function call access"; flow:to_server,established; file_data; content:"ienipp.Novell iPrint Control"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,29736; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2436; reference:cve,2008-2908; reference:cve,2009-1568; reference:cve,2009-1569; reference:cve,2010-1527; reference:cve,2010-3106; reference:cve,2010-4319; reference:cve,2010-4321; reference:cve,2011-4185; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:14038; rev:18;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Novell iPrint ActiveX clsid access"; flow:to_server,established; file_data; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,29736; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2436; reference:cve,2008-2908; reference:cve,2009-1568; reference:cve,2009-1569; reference:cve,2010-1527; reference:cve,2010-3106; reference:cve,2010-4319; reference:cve,2010-4321; reference:cve,2011-4185; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:14037; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Orbit Downloader ActiveX function call access"; flow:to_client,established; file_data; content:"Orbitmxt.Orbit"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Orbitmxt\.Orbit\x22|\x27Orbitmxt\.Orbit\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Download\s*|.*(?P=v)\s*\.\s*Download\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Orbitmxt\.Orbit\x22|\x27Orbitmxt\.Orbit\x27)\s*\)(\s*\.\s*Download\s*|.*(?P=n)\s*\.\s*Download\s*)\s*\(/smiO"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1602; classtype:attempted-user; sid:14035; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Orbit Downloader ActiveX clsid access"; flow:to_client,established; file_data; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3F1D494B-0CEF-4468-96C9-386E2E4DEC90\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3F1D494B-0CEF-4468-96C9-386E2E4DEC90\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1602; classtype:attempted-user; sid:14033; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Computer Associates gui_cm_ctrls ActiveX clsid access"; flow:to_client,established; file_data; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnLabel)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnLabel))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1786; classtype:attempted-user; sid:14025; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access"; flow:to_client,established; file_data; content:"C932BA85-4374-101B-A56C-00AA003668DC"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?C932BA85-4374-101B-A56C-00AA003668DC/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:14021; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access"; flow:to_client,established; file_data; content:"WebexUCFObject.WebexUCFObject"; fast_pattern:only; pcre:"/ActiveXObject\(\s*?[\x22\x27]?\s*?WebexUCFObject\.WebexUCFObject/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:14015; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access"; flow:to_client,established; file_data; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; fast_pattern:only; pcre:"/]*?classid\s*?=\s*?[\x22\x27]?\s*?clsid\s*?\x3a\s*?{?\s*?32E26FD9-F435-4A20-A561-35D4B987CFDC/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:14013; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; pcre:"/(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12989; reference:bugtraq,21155; reference:bugtraq,21338; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,adobe.com/support/security/advisories/apsa06-02.html; reference:url,adobe.com/support/techdocs/331465.html; classtype:attempted-user; sid:13913; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; content:"SnapshotPath"; content:"CompressedPath"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:13905; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP eSupportDiagnostics 10 ActiveX clsid access"; flow:to_client,established; file_data; content:"93441C07-E57E-4086-B912-F323D741A9D8"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93441C07-E57E-4086-B912-F323D741A9D8\s*}?\s*(?P=q4)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13734; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA BrightStor ListCtrl ActiveX clsid access"; flow:to_client,established; file_data; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddColumn)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddColumn))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:13621; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Download Handler ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer Download Handler"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x22|\x27rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x22|\x27rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:13603; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX clsid access"; flow:to_client,established; file_data; content:"22acd16f-99eb-11d2-9bb3-00400561d975"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26904; reference:cve,2007-6016; reference:url,www.symantec.com/avcenter/security/Content/2008.02.28.html; classtype:attempted-user; sid:13539; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX function call access"; flow:to_client,established; file_data; content:"ienipp.Novell iPrint Control"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,29736; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2436; reference:cve,2008-2908; reference:cve,2009-1568; reference:cve,2009-1569; reference:cve,2010-1527; reference:cve,2010-3106; reference:cve,2010-4319; reference:cve,2010-4321; reference:cve,2011-4185; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:13525; rev:26;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell iPrint ActiveX clsid access"; flow:to_client,established; file_data; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,29736; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2436; reference:cve,2008-2908; reference:cve,2008-5231; reference:cve,2009-1568; reference:cve,2009-1569; reference:cve,2010-1527; reference:cve,2010-3106; reference:cve,2010-4319; reference:cve,2010-4321; reference:cve,2011-4185; reference:cve,2013-1091; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:13523; rev:30;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:21;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Package and Deployment Wizard ActiveX clsid access"; flow:to_client,established; file_data; content:"0DDF3BD2-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3BD2-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25295; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-045; classtype:attempted-user; sid:13321; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual FoxPro 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"008B6010-1F3D-11D1-B0C8-00A0C9055D74"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*008B6010-1F3D-11D1-B0C8-00A0C9055D74\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoCmd)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*008B6010-1F3D-11D1-B0C8-00A0C9055D74\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoCmd))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27205; reference:cve,2008-0236; classtype:attempted-user; sid:13303; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Rich TextBox ActiveX clsid access"; flow:to_client,established; file_data; content:"3B7C8860-D78F-101B-B9B5-04021C009402"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B7C8860-D78F-101B-B9B5-04021C009402\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(SaveFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B7C8860-D78F-101B-B9B5-04021C009402\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveFile))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13296; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Rich TextBox ActiveX clsid access"; flow:to_client,established; file_data; content:"B617B991-A767-4F05-99BA-AC6FCABB102E"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B617B991-A767-4F05-99BA-AC6FCABB102E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B617B991-A767-4F05-99BA-AC6FCABB102E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveFile))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13294; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access 7 ActiveX function call access"; flow:to_client,established; file_data; content:"dwa7.dwa7"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22dwa7\.dwa7\x22|\x27dwa7\.dwa7\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=v)\s*\.\s*InstallBrowserHelperDll\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22dwa7\.dwa7\x22|\x27dwa7\.dwa7\x27)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=n)\s*\.\s*InstallBrowserHelperDll\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13264; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access 7 ActiveX clsid access"; flow:to_client,established; file_data; content:"E008A543-CEFB-4559-912F-C27C2B89F13B"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E008A543-CEFB-4559-912F-C27C2B89F13B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(InstallBrowserHelperDll)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E008A543-CEFB-4559-912F-C27C2B89F13B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(InstallBrowserHelperDll))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13262; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access 6 ActiveX function call access"; flow:to_client,established; file_data; content:"iNotes6.iNotes6"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iNotes6\.iNotes6\x22|\x27iNotes6\.iNotes6\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=v)\s*\.\s*InstallBrowserHelperDll\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iNotes6\.iNotes6\x22|\x27iNotes6\.iNotes6\x27)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=n)\s*\.\s*InstallBrowserHelperDll\s*)\s*\(/Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13260; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Web Access 6 ActiveX clsid access"; flow:to_client,established; file_data; content:"3BFFE033-BF43-11D5-A271-00A024A51325"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BFFE033-BF43-11D5-A271-00A024A51325\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InstallBrowserHelperDll)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BFFE033-BF43-11D5-A271-00A024A51325\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(InstallBrowserHelperDll))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13258; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Toolbar YShortcut ActiveX clsid access"; flow:to_client,established; file_data; content:"67CE97C5-ABE6-429A-B6BD-3BD1333A0825"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67CE97C5-ABE6-429A-B6BD-3BD1333A0825\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(IsTaggedBM)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67CE97C5-ABE6-429A-B6BD-3BD1333A0825\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(IsTaggedBM))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26956; reference:cve,2007-6535; classtype:attempted-user; sid:13224; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Software Update RulesEngine.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"7CB9D4F5-C492-42A4-93B1-3F7D6946470D"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7CB9D4F5-C492-42A4-93B1-3F7D6946470D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile|LoadFromFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7CB9D4F5-C492-42A4-93B1-3F7D6946470D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveToFile|LoadFromFile))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26950; reference:cve,2007-6506; classtype:attempted-user; sid:13219; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt"; flow:to_client,established; file_data; content:"00C04FC29E36|7C|983A|7C|11D0|7C|65A3|7C 7C|BD96C556|7C 7C|clsid"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:12770; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL ActiveX function call access"; flow:to_client,established; file_data; content:"rmocx.RealPlayer G2 Control"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control(\.\d)?\x22|\x27rmocx\.RealPlayer\s*G2\s*Control(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport|DoPlay)\s*|.*(?P=v)\s*\.\s*(ParseWallClock|GetSourceTransport|DoPlay)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control(\.\d)?\x22|\x27rmocx\.RealPlayer\s*G2\s*Control(\.\d)?\x27)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport|DoPlay)\s*|.*(?P=n)\s*\.\s*(ParseWallClock|GetSourceTransport|DoPlay)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24658; reference:bugtraq,26660; reference:bugtraq,28157; reference:bugtraq,44144; reference:cve,2007-3410; reference:cve,2007-6224; reference:cve,2008-1309; reference:cve,2010-3747; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12767; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL ActiveX clsid access"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ParseWallClock|GetSourceTransport|DoPlay)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ParseWallClock|GetSourceTransport|DoPlay))/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24658; reference:bugtraq,26660; reference:bugtraq,28157; reference:bugtraq,44144; reference:cve,2007-3410; reference:cve,2007-6224; reference:cve,2008-1309; reference:cve,2010-3747; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12766; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AOL Radio AmpX ActiveX clsid access"; flow:to_client,established; file_data; content:"B49C4597-8721-4789-9250-315DFBD9F525"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B49C4597-8721-4789-9250-315DFBD9F525\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetMetadata)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B49C4597-8721-4789-9250-315DFBD9F525\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetMetadata))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26396; reference:cve,2007-5755; classtype:attempted-user; sid:12729; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows MFC Library ActiveX function call access"; flow:to_client,established; file_data; content:"HpqUtil.System"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22HpqUtil\.System(\.\d)?\x22|\x27HpqUtil\.System(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(FindFile|ListFiles)\s*|.*(?P=v)\s*\.\s*(FindFile|ListFiles)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HpqUtil\.System(\.\d)?\x22|\x27HpqUtil\.System(\.\d)?\x27)\s*\)(\s*\.\s*(FindFile|ListFiles)\s*|.*(?P=n)\s*\.\s*(FindFile|ListFiles)\s*)\s*\(/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25697; reference:cve,2007-4916; classtype:attempted-user; sid:12614; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Java Web Start ActiveX clsid access"; flow:to_client,established; file_data; content:"5852F5ED-8BF4-11D4-A245-0080C6F74284"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5852F5ED-8BF4-11D4-A245-0080C6F74284\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(dnsResolve)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5852F5ED-8BF4-11D4-A245-0080C6F74284\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(dnsResolve))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25734; reference:cve,2007-5019; classtype:attempted-user; sid:12472; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0DDF3C0B-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(StartProcess)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(StartProcess))/siO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:12459; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Agent Control ActiveX clsid access"; flow:to_client,established; file_data; content:"D45FD31B-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Characters\.Load)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(Characters\.Load))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25566; reference:cve,2007-1205; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-051; classtype:attempted-user; sid:12448; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic 6 TLIApplication ActiveX clsid access"; flow:to_client,established; file_data; content:"8B21775E-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12269; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FAF02D9B-963D-43D8-91A6-E71383503FDA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12250; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS VMWare Vielib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"7B9C5422-39AA-4C21-BEEF-645E42EB4529"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4C21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(StartProcess)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4C21-BEEF-645E42EB4529\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(StartProcess))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25118; reference:cve,2007-4058; classtype:attempted-user; sid:12203; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Widgets Engine ActiveX clsid access"; flow:to_client,established; file_data; content:"7EC7B6C5-25BD-4586-A641-D2ACBB6629DD"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EC7B6C5-25BD-4586-A641-D2ACBB6629DD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetComponentVersion)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EC7B6C5-25BD-4586-A641-D2ACBB6629DD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetComponentVersion))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25086; reference:cve,2007-4034; reference:url,help.yahoo.com/l/us/yahoo/widgets/security/security-08.html; classtype:attempted-user; sid:12193; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"4E3D9D1F-0C63-11D1-8BFB-0060081841DE"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11830; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11826; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access"; flow:to_client,established; content:"DCE2F8B1-A520-11D4-8FD0-00D0B7730277"; fast_pattern:only; file_data; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DCE2F8B1-A520-11D4-8FD0-00D0B7730277\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(server)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DCE2F8B1-A520-11D4-8FD0-00D0B7730277\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(server))\s*=/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24341; reference:cve,2007-3147; classtype:attempted-user; sid:11822; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX clsid access"; flow:to_client,established; file_data; content:"BE4191FB-59EF-4825-AEFC-109727951E42"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE4191FB-59EF-4825-AEFC-109727951E42\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.xsec.org/index.php?module=releases&act=view&type=1&id=9; classtype:attempted-user; sid:11228; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B9B5\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B9B5\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m6)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23811; reference:bugtraq,33243; reference:bugtraq,33283; reference:cve,2007-2588; reference:cve,2009-0382; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:11199; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec SupportSoft SmartIssue ActiveX clsid access"; flow:to_client,established; file_data; content:"01010e00-5e80-11d8-9e86-0007e96c65ae"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*01010e00-5e80-11d8-9e86-0007e96c65ae\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(EnableExtension)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*01010e00-5e80-11d8-9e86-0007e96c65ae\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(EnableExtension))\s*\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10393; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Ierpplug.dll ActiveX function call access"; flow:to_client,established; file_data; content:"IERPCtl.IERPCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IERPCtl\.IERPCtl(\.\d)?\x22|\x27IERPCtl\.IERPCtl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*|.*(?P=v)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IERPCtl\.IERPCtl(\.\d)?\x22|\x27IERPCtl\.IERPCtl(\.\d)?\x27)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*|.*(?P=n)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21802; reference:bugtraq,22811; reference:cve,2006-6847; reference:cve,2007-5601; reference:cve,2008-3066; reference:cve,2010-3749; classtype:attempted-user; sid:10194; rev:22;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Ierpplug.dll ActiveX function call access"; flow:to_client,established; file_data; content:"IERPCtl.IERPCtl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IERPCtl\.IERPCtl(\.\d)?\x22|\x27IERPCtl\.IERPCtl(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*|.*(?P=v)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IERPCtl\.IERPCtl(\.\d)?\x22|\x27IERPCtl\.IERPCtl(\.\d)?\x27)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*|.*(?P=n)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)\s*)/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,44443; reference:cve,2006-6847; reference:cve,2007-5601; reference:cve,2008-3066; reference:cve,2010-3749; classtype:attempted-user; sid:10193; rev:21;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Ierpplug.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import|RecordClip))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,44443; reference:cve,2006-6847; reference:cve,2007-5601; reference:cve,2008-3066; reference:cve,2010-3749; classtype:attempted-user; sid:10192; rev:25;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX clsid access"; flow:to_client,established; file_data; content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only; pcre:"/]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22026; classtype:attempted-user; sid:10015; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICQPhone.SipxPhoneManager ActiveX function call access"; flow:to_client,established; file_data; content:"ICQPhone.SipxPhoneManager"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ICQPhone.SipxPhoneManager(\.\d)?\x22|\x27ICQPhone.SipxPhoneManager(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadAgent)\s*\(|.*(?P=v)\s*\.\s*(DownloadAgent)\s*\()|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ICQPhone.SipxPhoneManager(\.\d)?\x22|\x27ICQPhone.SipxPhoneManager(\.\d)?\x27)\s*\)(\s*\.\s*(DownloadAgent)\s*\(|.*(?P=n)\s*\.\s*(DownloadAgent)\s*\()/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20930; reference:cve,2006-5650; classtype:attempted-user; sid:9816; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICQPhone.SipxPhoneManager ActiveX clsid access"; flow:to_client,established; file_data; content:"54BDE6EC-F42F-4500-AC46-905177444300"; fast_pattern:only; pcre:"/]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*54BDE6EC-F42F-4500-AC46-905177444300\s*}?\4.*\3\.(DownloadAgent)\(|]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54BDE6EC-F42F-4500-AC46-905177444300\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(DownloadAgent)\(/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20930; reference:cve,2006-5650; classtype:attempted-user; sid:9814; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows ADODB.Connection ActiveX function call access"; flow:to_client,established; file_data; content:"ADODB.Connection.2.7"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ADODB\.Connection\.2\.7\x22|\x27ADODB\.Connection\.2\.7\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Execute)\s*\(|.*\3\s*\.\s*(Execute)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ADODB\.Connection\.2\.7\x22|\x27ADODB\.Connection\.2\.7\x27)\s*\)(\s*\.\s*(Execute)\s*\(|.*\7\s*\.\s*(Execute)\s*\()/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-5559; reference:url,archives.neohapsis.com/archives/ntbugtraq/2004-q4/0083.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-009; classtype:attempted-user; sid:9640; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Citrix.ICAClient ActiveX clsid access"; flow:to_client,established; file_data; content:"238F6F83-B8B4-11cf-8771-00A024541EE3"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*238F6F83-B8B4-11cf-8771-00A024541EE3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SendChannelData)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*238F6F83-B8B4-11cf-8771-00A024541EE3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(SendChannelData))/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23246; reference:cve,2006-6334; reference:url,support.citrix.com/article/CTX111827; classtype:attempted-user; sid:9629; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; pcre:"/(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12989; reference:bugtraq,21155; reference:bugtraq,21338; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,adobe.com/support/security/advisories/apsa06-02.html; reference:url,adobe.com/support/techdocs/331465.html; classtype:attempted-user; sid:9626; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WinZip FileView 6.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A09AE68F-B14D-43ED-B713-BA413F034904\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21060; reference:bugtraq,21108; reference:cve,2006-3890; reference:cve,2006-5198; reference:url,www.winzip.com/wz7245.htm; classtype:attempted-user; sid:9129; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAArray.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAArray.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAArray\.1\x22|\x27DirectAnimation\.DAArray\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAArray\.1\x22|\x27DirectAnimation\.DAArray\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8845; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAArray.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"D17506C3-6B26-11D0-8914-00C04FC2A0CA"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D17506C3-6B26-11D0-8914-00C04FC2A0CA/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8843; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABbox2.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DABbox2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DABbox2\.1\x22|\x27DirectAnimation\.DABbox2\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DABbox2\.1\x22|\x27DirectAnimation\.DABbox2\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8842; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABbox2.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BCE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCE-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8840; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABbox3.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DABbox3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DABbox3\.1\x22|\x27DirectAnimation\.DABbox3\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DABbox3\.1\x22|\x27DirectAnimation\.DABbox3\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8839; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABbox3.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BDE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDE-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8837; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABoolean.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DABoolean.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DABoolean\.1\x22|\x27DirectAnimation\.DABoolean\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DABoolean\.1\x22|\x27DirectAnimation\.DABoolean\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8836; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DABoolean.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BC1-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC1-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8834; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DACamera.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DACamera.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DACamera\.1\x22|\x27DirectAnimation\.DACamera\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DACamera\.1\x22|\x27DirectAnimation\.DACamera\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8833; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DACamera.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BE2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE2-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8831; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAColor.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAColor.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAColor\.1\x22|\x27DirectAnimation\.DAColor\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAColor\.1\x22|\x27DirectAnimation\.DAColor\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8830; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAColor.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BC6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC6-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8828; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DADashStyle.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DADashStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DADashStyle\.1\x22|\x27DirectAnimation\.DADashStyle\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DADashStyle\.1\x22|\x27DirectAnimation\.DADashStyle\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8827; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DADashStyle.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BF0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF0-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8825; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAGeometry.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAGeometry.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAGeometry\.1\x22|\x27DirectAnimation\.DAGeometry\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAGeometry\.1\x22|\x27DirectAnimation\.DAGeometry\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8824; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAGeometry.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BE0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE0-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8822; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAImage.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAImage.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAImage\.1\x22|\x27DirectAnimation\.DAImage\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAImage\.1\x22|\x27DirectAnimation\.DAImage\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8821; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAImage.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BD4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD4-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8819; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAJoinStyle.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAJoinStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAJoinStyle\.1\x22|\x27DirectAnimation\.DAJoinStyle\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAJoinStyle\.1\x22|\x27DirectAnimation\.DAJoinStyle\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8818; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAJoinStyle.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BEE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEE-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8816; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DALineStyle.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DALineStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DALineStyle\.1\x22|\x27DirectAnimation\.DALineStyle\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DALineStyle\.1\x22|\x27DirectAnimation\.DALineStyle\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8815; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DALineStyle.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BF2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF2-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8813; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMatte.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAMatte.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAMatte\.1\x22|\x27DirectAnimation\.DAMatte\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAMatte\.1\x22|\x27DirectAnimation\.DAMatte\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8812; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMatte.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BD2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD2-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8810; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMicrophone.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAMicrophone.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAMicrophone\.1\x22|\x27DirectAnimation\.DAMicrophone\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAMicrophone\.1\x22|\x27DirectAnimation\.DAMicrophone\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8809; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMicrophone.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BE6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE6-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8807; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMontage.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAMontage.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAMontage\.1\x22|\x27DirectAnimation\.DAMontage\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAMontage\.1\x22|\x27DirectAnimation\.DAMontage\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8806; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAMontage.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BD6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD6-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8804; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DANumber.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DANumber.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DANumber\.1\x22|\x27DirectAnimation\.DANumber\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DANumber\.1\x22|\x27DirectAnimation\.DANumber\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8803; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DANumber.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"9CDE7341-3C20-11D0-A330-00AA00B92C03"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CDE7341-3C20-11D0-A330-00AA00B92C03/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8801; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPair.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAPair.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAPair\.1\x22|\x27DirectAnimation\.DAPair\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAPair\.1\x22|\x27DirectAnimation\.DAPair\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8800; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPair.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BF4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF4-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8798; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPath2.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAPath2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAPath2\.1\x22|\x27DirectAnimation\.DAPath2\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAPath2\.1\x22|\x27DirectAnimation\.DAPath2\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8797; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPath2.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BD0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD0-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8795; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPoint2.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAPoint2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAPoint2.1\x22|\x27DirectAnimation.DAPoint2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAPoint2.1\x22|\x27DirectAnimation.DAPoint2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8794; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPoint2.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BC8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC8-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8792; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPoint3.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAPoint3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAPoint3\.1\x22|\x27DirectAnimation\.DAPoint3\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAPoint3\.1\x22|\x27DirectAnimation\.DAPoint3\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8791; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAPoint3.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BD8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD8-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8789; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DASound.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DASound.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DASound\.1\x22|\x27DirectAnimation\.DASound\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DASound\.1\x22|\x27DirectAnimation\.DASound\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8788; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DASound.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BE4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE4-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8786; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAString.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAString.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAString\.1\x22|\x27DirectAnimation\.DAString\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAString\.1\x22|\x27DirectAnimation\.DAString\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8785; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAString.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BC4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC4-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8783; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DATransform2.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DATransform2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DATransform2\.1\x22|\x27DirectAnimation\.DATransform2\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DATransform2\.1\x22|\x27DirectAnimation\.DATransform2\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8782; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DATransform2.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BCC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCC-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8780; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DATransform3.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DATransform3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DATransform3\.1\x22|\x27DirectAnimation\.DATransform3\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DATransform3\.1\x22|\x27DirectAnimation\.DATransform3\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8779; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DATransform3.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BDC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDC-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8777; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAUserData.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAUserData.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAUserData\.1\x22|\x27DirectAnimation\.DAUserData\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAUserData\.1\x22|\x27DirectAnimation\.DAUserData\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8776; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAUserData.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"AF868304-AB0B-11D0-876A-00C04FC29D46"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF868304-AB0B-11D0-876A-00C04FC29D46/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8774; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAVector2.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAVector2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAVector2\.1\x22|\x27DirectAnimation\.DAVector2\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAVector2\.1\x22|\x27DirectAnimation\.DAVector2\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8773; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAVector2.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BCA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCA-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8771; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAVector3.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAVector3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAVector3\.1\x22|\x27DirectAnimation\.DAVector3\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAVector3\.1\x22|\x27DirectAnimation\.DAVector3\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8770; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAVector3.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BDA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDA-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8768; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAView.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAView.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAView\.1\x22|\x27DirectAnimation\.DAView\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAView\.1\x22|\x27DirectAnimation\.DAView\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8767; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAView.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"283807B5-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B5-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8765; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.Sequence ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.Sequence"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.Sequence\x22|\x27DirectAnimation\.Sequence\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.Sequence\x22|\x27DirectAnimation\.Sequence\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8764; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.Sequence ActiveX clsid access"; flow:to_client,established; file_data; content:"4F241DB1-EE9F-11D0-9824-006097C99E51"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F241DB1-EE9F-11D0-9824-006097C99E51/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8762; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SequencerControl ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.SequencerControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.SequencerControl\x22|\x27DirectAnimation\.SequencerControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.SequencerControl\x22|\x27DirectAnimation\.SequencerControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8761; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SequencerControl ActiveX clsid access"; flow:to_client,established; file_data; content:"B0A6BAE2-AAF0-11D0-A152-00A0C908DB96"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0A6BAE2-AAF0-11D0-A152-00A0C908DB96/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8759; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SpriteControl ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.SpriteControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.SpriteControl\x22|\x27DirectAnimation\.SpriteControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.SpriteControl\x22|\x27DirectAnimation\.SpriteControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8758; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SpriteControl ActiveX clsid access"; flow:to_client,established; file_data; content:"FD179533-D86E-11D0-89D6-00A0C90833E6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD179533-D86E-11D0-89D6-00A0C90833E6/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8756; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LM.AutoEffectBvr.1 ActiveX function call access"; flow:to_client,established; file_data; content:"LM.AutoEffectBvr.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22LM\.AutoEffectBvr\.1\x22|\x27LM\.AutoEffectBvr\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22LM\.AutoEffectBvr\.1\x22|\x27LM\.AutoEffectBvr\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8755; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LM.AutoEffectBvr.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"BB339A46-7C49-11d2-9BF3-00C04FA34789"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB339A46-7C49-11d2-9BF3-00C04FA34789/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8753; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LM.LMBehaviorFactory.1 ActiveX function call access"; flow:to_client,established; file_data; content:"LM.LMBehaviorFactory.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22LM\.LMBehaviorFactory\.1\x22|\x27LM\.LMBehaviorFactory\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22LM\.LMBehaviorFactory\.1\x22|\x27LM\.LMBehaviorFactory\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8752; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer LM.LMBehaviorFactory.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"B1549E58-3894-11D2-BB7F-00A0C999C4C1"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1549E58-3894-11D2-BB7F-00A0C999C4C1/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8750; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAEndStyle.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAEndStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAEndStyle\.1\x22|\x27DirectAnimation\.DAEndStyle\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAEndStyle\.1\x22|\x27DirectAnimation\.DAEndStyle\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8749; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAEndStyle.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"C46C1BEC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEC-3C52-11D0-9200-848C1D000000/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8747; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAEvent.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAEvent.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAEvent\.1\x22|\x27DirectAnimation\.DAEvent\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAEvent\.1\x22|\x27DirectAnimation\.DAEvent\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8746; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAEvent.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"50B4791F-4731-11D0-8912-00C04FC2A0CA"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50B4791F-4731-11D0-8912-00C04FC2A0CA/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8744; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAFontStyle.1 ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.DAFontStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.DAFontStyle\.1\x22|\x27DirectAnimation\.DAFontStyle\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.DAFontStyle\.1\x22|\x27DirectAnimation\.DAFontStyle\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8743; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.DAFontStyle.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"25B0F91C-D23D-11D0-9B85-00C04FC2F51D"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25B0F91C-D23D-11D0-9B85-00C04FC2F51D/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8741; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX clsid access"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; fast_pattern:only; pcre:"/(]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9880553-B8A7-4960-A668-95C68BED571E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownloadAndExecute|AddFileEx|ExecuteRemote))\s*\(|]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9880553-B8A7-4960-A668-95C68BED571E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:8738; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer XMLHTTP 4.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"88d969c5-f192-11d4-a65f-0040963251e5"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*88d969c5-f192-11d4-a65f-0040963251e5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20915; reference:cve,2006-5745; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-071; classtype:attempted-user; sid:8727; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; classtype:attempted-user; sid:8723; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMIScriptUtils.WMIObjectBroker2.1 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"7"; content:"F5B7F63"; within:12; content:"-F06F-"; within:11; content:"4331-8A26-"; within:15; content:"339E03C0"; within:13; content:"AE3D"; within:9; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:8369; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access"; flow:to_client,established; file_data; content:"wscript.shell"; fast_pattern:only; pcre:"/(ActiveX|Create)Object\s*\(\s*[\x22\x27]?wscript\.shell/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101098; reference:bugtraq,10652; reference:bugtraq,17462; reference:cve,2006-0003; reference:cve,2017-11774; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:8068; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access"; flow:to_client,established; file_data; content:"ADODB.Stream"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ADODB\.Stream\x22|\x27ADODB\.Stream\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ADODB\.Stream\x22|\x27ADODB\.Stream\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,10514; reference:cve,2004-0549; reference:cve,2009-3576; reference:url,support.microsoft.com/default.aspx?kbid=870669; reference:url,support.microsoft.com/kb/870669 reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:8063; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DirectAnimation.PathControl ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.PathControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.PathControl\x22|\x27DirectAnimation.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.PathControl\x22|\x27DirectAnimation.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19738; reference:cve,2006-4446; reference:cve,2006-4777; classtype:attempted-user; sid:8055; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DirectAnimation.PathControl ActiveX clsid access"; flow:to_client,established; file_data; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/siO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19738; reference:cve,2006-4446; reference:cve,2006-4777; classtype:attempted-user; sid:8053; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CDL Asychronous Pluggable Protocol Handler ActiveX clsid access"; flow:to_client,established; file_data; content:"3DD53D40-7B8B-11D0-B013-00AA0059CE02"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3DD53D40-7B8B-11D0-B013-00AA0059CE02\s*}?\s*(?P=q13)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7904; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 10.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E553-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E553-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35800; reference:bugtraq,35990; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-0562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:7876; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E551-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E551-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:7872; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McSubMgr ActiveX CLSID access"; flow:to_client,established; file_data; content:"9be8d7b2-329c-442a-a4ac-aba9d7572602"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9be8d7b2-329c-442a-a4ac-aba9d7572602/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7864; rev:15;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Dynamic Casts ActiveX clsid access"; flow:to_client,established; file_data; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7435; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDS.Dataspace ActiveX function call access"; flow:to_client,established; file_data; content:"RDS.DataSpace"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22RDS\.DataSpace\x22|\x27RDS\.DataSpace\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22RDS\.DataSpace\x22|\x27RDS\.DataSpace\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:7026; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows DirectAnimation.StructuredGraphicsControl ActiveX function call access"; flow:to_client,established; file_data; content:"DirectAnimation.StructuredGraphicsControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.StructuredGraphicsControl\x22|\x27DirectAnimation\.StructuredGraphicsControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.StructuredGraphicsControl\x22|\x27DirectAnimation\.StructuredGraphicsControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:7009; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Internet.HHCtrl.1 ActiveX function call access"; flow:to_client,established; file_data; content:"Internet.HHCtrl.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Internet\.HHCtrl\.1\x22|\x27Internet\.HHCtrl\.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Internet\.HHCtrl\.1\x22|\x27Internet\.HHCtrl\.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18769; reference:cve,2006-3357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-046; classtype:attempted-user; sid:7004; rev:20;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows RDS.Dataspace ActiveX object access"; flow:to_client,established; file_data; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD96C556-65A3-11D0-983A-00C04FC29E36/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:6009; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer ISupportErrorInfo Interface ActiveX object access"; flow:to_client,established; file_data; content:"clsid:DF0B3D60-548F-101B-8E65-08002B2BD119"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2831; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4899; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0002E510-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E510-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,4453; reference:cve,2002-0860; reference:cve,2006-3868; reference:cve,2006-4695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:4177; rev:20;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Office 2000 and 2002 Web Components Data Source Control ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E530-0000-0000-C000-000000000046"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E530-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28136; reference:bugtraq,4449; reference:cve,2002-0727; reference:cve,2007-1201; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:4170; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer htmlfile ActiveX object access attempt"; flow:to_client,established; file_data; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,1718; reference:bugtraq,49960; reference:cve,2001-0149; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-015; classtype:attempted-user; sid:4155; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access"; flow:to_client,established; file_data; content:"2D360201-FFF5-11D1-8D03-00A0C959BC0A"; fast_pattern:only; content:"LoadURL"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:bugtraq,36280; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:4148; rev:23;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt "; flow:established,to_client; flowbits:isset,file.exe; content:"de5368b1-a28f-4613-8787"; fast_pattern; nocase; metadata:service http; reference:cve,2010-3228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-077; classtype:attempted-user; sid:18064; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access "; flow:established,to_client; content:"M|00|S|00|W|00|i|00|n|00|s|00|o|00|c|00|k|00|.|00|w|00|i|00|n|00|s|00|o|00|c|00|k|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00W\x00i\x00n\x00s\x00o\x00c\x00k\x00.\x00w\x00i\x00n\x00s\x00o\x00c\x00k\x00(\.\x00\d\x00)?(?P=q20)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00W\x00i\x00n\x00s\x00o\x00c\x00k\x00.\x00w\x00i\x00n\x00s\x00o\x00c\x00k\x00(\.\x00\d\x00)?(?P=q21)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15121; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access "; flow:established,to_client; content:"MSWinsock.winsock"; nocase; pcre:"/(?P\w+)\s*=\s*(\x22MSWinsock\.winsock(\.\d)?\x22|\x27MSWinsock\.winsock(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RemoteHost\s*|.*(?P=v)\s*\.\s*RemoteHost\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSWinsock\.winsock(\.\d)?\x22|\x27MSWinsock\.winsock(\.\d)?\x27)\s*\)(\s*\.\s*RemoteHost\s*|.*(?P=n)\s*\.\s*RemoteHost)\s*=/smiO"; metadata:policy security-ips drop; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15120; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access "; flow:established,to_client; content:"2|00|4|00|8|00|D|00|D|00|8|00|9|00|6|00|-|00|B|00|B|00|4|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|A|00|B|00|C|00|-|00|0|00|0|00|8|00|0|00|C|00|7|00|E|00|7|00|B|00|7|00|8|00|D|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x004\x008\x00D\x00D\x008\x009\x006\x00-\x00B\x00B\x004\x005\x00-\x001\x001\x00C\x00F\x00-\x009\x00A\x00B\x00C\x00-\x000\x000\x008\x000\x00C\x007\x00E\x007\x00B\x007\x008\x00D\x00(}\x00)?(?P=q19)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15119; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access "; flow:established,to_client; content:"248DD896-BB45-11CF-9ABC-0080C7E7B78D"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*248DD896-BB45-11CF-9ABC-0080C7E7B78D\s*}?\s*(?P=q17)(\s|>).*(?P=id1)\s*\.\s*(RemoteHost)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*248DD896-BB45-11CF-9ABC-0080C7E7B78D\s*}?\s*(?P=q18)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(RemoteHost))\s*=/siO"; metadata:policy security-ips drop; reference:cve,2008-4251; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15118; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access "; flow:established,to_client; content:"E|00|v|00|e|00|n|00|t|00|S|00|y|00|s|00|t|00|e|00|m|00|.|00|E|00|v|00|e|00|n|00|t|00|S|00|u|00|b|00|s|00|c|00|r|00|i|00|p|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00v\x00e\x00n\x00t\x00S\x00y\x00s\x00t\x00e\x00m\x00.\x00E\x00v\x00e\x00n\x00t\x00S\x00u\x00b\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00v\x00e\x00n\x00t\x00S\x00y\x00s\x00t\x00e\x00m\x00.\x00E\x00v\x00e\x00n\x00t\x00S\x00u\x00b\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; reference:cve,2008-1457; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-049; classtype:attempted-user; sid:13978; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access "; flow:established,to_client; content:"EventSystem.EventSubscription"; pcre:"/(?P\w+)\s*=\s*(\x22EventSystem\.EventSubscription\x22|\x27EventSystem\.EventSubscription\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EventSystem\.EventSubscription\x22|\x27EventSystem\.EventSubscription\x27)\s*\)/smi"; metadata:service http; reference:cve,2008-1457; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-049; classtype:attempted-user; sid:13977; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access "; flow:established,to_client; content:"7|00|5|00|4|00|2|00|E|00|9|00|6|00|0|00|-|00|7|00|9|00|C|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|F|00|9|00|-|00|0|00|0|00|8|00|0|00|C|00|7|00|D|00|7|00|7|00|1|00|B|00|F|00|"; fast_pattern:only; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x005\x004\x002\x00E\x009\x006\x000\x00-\x007\x009\x00C\x007\x00-\x001\x001\x00D\x001\x00-\x008\x008\x00F\x009\x00-\x000\x000\x008\x000\x00C\x007\x00D\x007\x007\x001\x00B\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:service http; reference:cve,2008-1457; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-049; classtype:attempted-user; sid:13976; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access "; flow:established,to_client; content:"7542E960-79C7-11D1-88F9-0080C7D771BF"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7542E960-79C7-11D1-88F9-0080C7D771BF\s*}?\s*(?P=q1)(\s|>)/si"; metadata:service http; reference:cve,2008-1457; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-049; classtype:attempted-user; sid:13975; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call"; flow:established,to_client; file_data; content:"Rvctl.RVControl"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0982; classtype:attempted-user; sid:34644; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access"; flow:established,to_client; file_data; content:"6781FF2E-7452-11D4-84D4-0040F60CE591"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0982; classtype:attempted-user; sid:34643; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Virtual Technician ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"McReportManager.Report"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5879; classtype:attempted-user; sid:34642; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee Virtual Technician ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"24565A99-ADDA-47B9-9E86-3C4C3360E256"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5879; classtype:attempted-user; sid:34641; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt"; flow:established,to_client; file_data; content:"ATX45.ATX45Ctrl.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ATX45\.ATX45Ctrl(\.\d*)?\x22|\x27ATX45\.ATX45Ctrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetHtmlFileName\s*|.*(?P=v)\s*\.\s*SetHtmlFileName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ATX45\.ATX45Ctrl(\.\d*)?\x22|\x27ATX45\.ATX45Ctrl(\.\d*)?\x27)\s*\)(\s*\.\s*SetHtmlFileName\s*|.*(?P=n)\s*\.\s*SetHtmlFileName\s*)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8511; classtype:attempted-user; sid:34640; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt"; flow:established,to_client; file_data; content:"ATX45.ATX45Ctrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ATX45\.ATX45Ctrl(\.\d*)?\x22|\x27ATX45\.ATX45Ctrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetHtmlFileName\s*|.*(?P=v)\s*\.\s*SetHtmlFileName\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ATX45\.ATX45Ctrl(\.\d*)?\x22|\x27ATX45\.ATX45Ctrl(\.\d*)?\x27)\s*\)(\s*\.\s*SetHtmlFileName\s*|.*(?P=n)\s*\.\s*SetHtmlFileName\s*)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8511; classtype:attempted-user; sid:34639; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"34290586-1728-11D2-B45B-000021692342"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34290586-1728-11D2-B45B-000021692342\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SetHtmlFileName)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34290586-1728-11D2-B45B-000021692342\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SetHtmlFileName))/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8511; classtype:attempted-user; sid:34638; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung iPOLiS device manager clsid access attempt"; flow:to_client,established; file_data; content:"D3B78638-78BA-4587-88FE-0537A0825A72"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67823; reference:cve,2014-3912; classtype:attempted-user; sid:32246; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung iPOLiS device manager clsid access attempt"; flow:to_client,established; file_data; content:"XNSSDKDEVICE.XnsSdkDeviceCtrlForIpInstaller"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67823; reference:cve,2014-3912; classtype:attempted-user; sid:32245; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access"; flow:to_server,established; file_data; content:"MDRAW.MDrawCtrl.3"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=v)\s*\.\s*ArrangeObjects\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=n)\s*\.\s*ArrangeObjects\s*)/smiO"; metadata:service smtp; reference:cve,2014-9188; classtype:attempted-user; sid:34923; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access"; flow:to_client,established; file_data; content:"MDRAW.MDrawCtrl.3"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=v)\s*\.\s*ArrangeObjects\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=n)\s*\.\s*ArrangeObjects\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9188; classtype:attempted-user; sid:34922; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access"; flow:to_server,established; file_data; content:"MDRAW.MDrawCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=v)\s*\.\s*ArrangeObjects\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=n)\s*\.\s*ArrangeObjects\s*)/smiO"; metadata:service smtp; reference:cve,2014-9188; classtype:attempted-user; sid:34921; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access"; flow:to_server,established; file_data; content:"644D8000-3033-A583-AD61-00403333EC93"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*644D8000-3033-A583-AD61-00403333EC93\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(ArrangeObjects)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*644D8000-3033-A583-AD61-00403333EC93\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(ArrangeObjects))/siO"; metadata:service smtp; reference:cve,2014-9188; classtype:attempted-user; sid:34920; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access"; flow:to_client,established; file_data; content:"MDRAW.MDrawCtrl"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=v)\s*\.\s*ArrangeObjects\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MDRAW\.MDrawCtrl(\.\d*)?\x22|\x27MDRAW\.MDrawCtrl(\.\d*)?\x27)\s*\)(\s*\.\s*ArrangeObjects\s*|.*(?P=n)\s*\.\s*ArrangeObjects\s*)/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9188; classtype:attempted-user; sid:34919; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access"; flow:to_client,established; file_data; content:"644D8000-3033-A583-AD61-00403333EC93"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*644D8000-3033-A583-AD61-00403333EC93\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(ArrangeObjects)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*644D8000-3033-A583-AD61-00403333EC93\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(ArrangeObjects))/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9188; classtype:attempted-user; sid:34918; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Samsung iPOLiS device manager clsid access attempt"; flow:to_server,established; file_data; content:"D3B78638-78BA-4587-88FE-0537A0825A72"; fast_pattern:only; metadata:service smtp; reference:bugtraq,67823; reference:cve,2014-3912; classtype:attempted-user; sid:34885; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Samsung iPOLiS device manager clsid access attempt"; flow:to_server,established; file_data; content:"XNSSDKDEVICE.XnsSdkDeviceCtrlForIpInstaller"; fast_pattern:only; metadata:service smtp; reference:bugtraq,67823; reference:cve,2014-3912; classtype:attempted-user; sid:34884; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt"; flow:to_server,established; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; pcre:"/(RestoreViewStateFromFile|SaveViewStateToFile|Export3DBom)/i"; metadata:service smtp; reference:bugtraq,50321; reference:bugtraq,50333; classtype:attempted-user; sid:35002; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt"; flow:to_server,established; file_data; content:"AUTOVUEX.AutoVueXCtrl.1"; fast_pattern:only; pcre:"/(RestoreViewStateFromFile|SaveViewStateToFile|Export3DBom)/i"; metadata:service smtp; reference:bugtraq,50321; reference:bugtraq,50333; classtype:attempted-user; sid:35001; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"AnnotationX.AnnList"; fast_pattern:only; content:"insert"; nocase; metadata:service smtp; reference:bugtraq,72840; reference:cve,2015-2092; classtype:attempted-user; sid:35330; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"AnnotationX.AnnList"; fast_pattern:only; content:"insert"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,72840; reference:cve,2015-2092; classtype:attempted-user; sid:35329; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; fast_pattern:only; content:"insert"; nocase; metadata:service smtp; reference:bugtraq,72840; reference:cve,2015-2092; classtype:attempted-user; sid:35328; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; fast_pattern:only; content:"insert"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,72840; reference:cve,2015-2092; classtype:attempted-user; sid:35327; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TSS12.DscXB.XB"; fast_pattern:only; content:".onloadstatechange"; nocase; metadata:service smtp; reference:cve,2014-2417; classtype:attempted-user; sid:35352; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TSS12.DscXB.XB"; fast_pattern:only; content:".onloadstatechange"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2417; classtype:attempted-user; sid:35351; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"81A6E346-8DE9-4C46-A3DE-C436F4158CEB"; fast_pattern:only; content:".onloadstatechange"; nocase; metadata:service smtp; reference:cve,2014-2417; classtype:attempted-user; sid:35350; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"81A6E346-8DE9-4C46-A3DE-C436F4158CEB"; fast_pattern:only; content:".onloadstatechange"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2417; classtype:attempted-user; sid:35349; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"TSS12.TransformerTools.PostcardPreviewInt"; fast_pattern:only; content:"onclose"; nocase; metadata:service smtp; reference:cve,2014-2415; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35404; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"TSS12.TransformerTools.PostcardPreviewInt"; fast_pattern:only; content:"onclose"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2415; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35403; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"55A9AB59-FDEB-466E-9A02-D21D5B245B48"; fast_pattern:only; content:"onclose"; nocase; metadata:service smtp; reference:cve,2014-2415; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35402; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"55A9AB59-FDEB-466E-9A02-D21D5B245B48"; fast_pattern:only; content:"onclose"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2415; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35401; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"TSS12.DscForms.DateTimeWrapper"; fast_pattern:only; content:"onchange"; nocase; metadata:service smtp; reference:cve,2014-2416; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35398; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"TSS12.DscForms.DateTimeWrapper"; fast_pattern:only; content:"onchange"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2416; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35397; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"3ED187AD-B05A-4912-9DB1-26A01D074CAE"; fast_pattern:only; content:"onchange"; nocase; metadata:service smtp; reference:cve,2014-2416; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35396; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"3ED187AD-B05A-4912-9DB1-26A01D074CAE"; fast_pattern:only; content:"onchange"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2416; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-user; sid:35395; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access"; flow:to_server,established; file_data; content:"ActiveXObject|28 22|MSChart20Lib.MSChart.2|22 29 3B|"; fast_pattern:only; metadata:service smtp; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:35423; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt"; flow:to_server,established; file_data; content:"IsObjectModel.ModelObject"; fast_pattern:only; content:"RemoveParameter"; nocase; metadata:service smtp; reference:cve,2014-9200; reference:url,download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-009-01; classtype:attempted-user; sid:35422; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt"; flow:to_client,established; file_data; content:"IsObjectModel.ModelObject"; fast_pattern:only; content:"RemoveParameter"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9200; reference:url,download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-009-01; classtype:attempted-user; sid:35421; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt"; flow:to_server,established; file_data; content:"AB96C8BF-6780-11D3-BD5F-00105A3185C3"; fast_pattern:only; content:"RemoveParameter"; nocase; metadata:service smtp; reference:cve,2014-9200; reference:url,download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-009-01; classtype:attempted-user; sid:35420; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt"; flow:to_client,established; file_data; content:"AB96C8BF-6780-11D3-BD5F-00105A3185C3"; fast_pattern:only; content:"RemoveParameter"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9200; reference:url,download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-009-01; classtype:attempted-user; sid:35419; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt"; flow:to_server,established; file_data; content:"TSS12.LoaderWizard.lwctrl"; fast_pattern:only; content:"DataPreview"; nocase; metadata:service smtp; reference:cve,2015-0446; classtype:attempted-user; sid:35447; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt"; flow:to_client,established; file_data; content:"TSS12.LoaderWizard.lwctrl"; fast_pattern:only; content:"DataPreview"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0446; classtype:attempted-user; sid:35446; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt"; flow:to_server,established; file_data; content:"357DB9E3-72A6-41AA-9BA5-4A9D12E57ACD"; fast_pattern:only; content:"DataPreview"; nocase; metadata:service smtp; reference:cve,2015-0446; classtype:attempted-user; sid:35445; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt"; flow:to_client,established; file_data; content:"357DB9E3-72A6-41AA-9BA5-4A9D12E57ACD"; fast_pattern:only; content:"DataPreview"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0446; classtype:attempted-user; sid:35444; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"69ADBDBE-2035-4144-B52E-14753EB07CE9"; fast_pattern:only; content:"MulticastAddr"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75405; reference:cve,2015-4648; classtype:attempted-user; sid:35559; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"69ADBDBE-2035-4144-B52E-14753EB07CE9"; fast_pattern:only; content:"MulticastAddr"; nocase; metadata:service smtp; reference:bugtraq,75405; reference:cve,2015-4648; classtype:attempted-user; sid:35558; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Ipropsapi.ipropsapiCtrl"; fast_pattern:only; content:"MulticastAddr"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75405; reference:cve,2015-4648; classtype:attempted-user; sid:35557; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Ipropsapi.ipropsapiCtrl"; fast_pattern:only; content:"MulticastAddr"; nocase; metadata:service smtp; reference:bugtraq,75405; reference:cve,2015-4648; classtype:attempted-user; sid:35556; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Panasonic Security API SDK Ipropsapi ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Ipropsapi.ipropsapiCtrl"; fast_pattern:only; pcre:"/(FilePassword|GetInfoString)/i"; metadata:service smtp; reference:bugtraq,75409; reference:cve,2015-4647; classtype:attempted-user; sid:35623; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panasonic Security API SDK Ipropsapi ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Ipropsapi.ipropsapiCtrl"; fast_pattern:only; pcre:"/(FilePassword|GetInfoString)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75409; reference:cve,2015-4647; classtype:attempted-user; sid:35622; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Panasonic Security API SDK Ipropsapi ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"69ADBDBE-2035-4144-B52E-14753EB07CE9"; fast_pattern:only; pcre:"/(FilePassword|GetInfoString)/i"; metadata:service smtp; reference:bugtraq,75409; reference:cve,2015-4647; classtype:attempted-user; sid:35621; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Panasonic Security API SDK Ipropsapi ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"69ADBDBE-2035-4144-B52E-14753EB07CE9"; fast_pattern:only; pcre:"/(FilePassword|GetInfoString)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75409; reference:cve,2015-4647; classtype:attempted-user; sid:35620; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS NetIQ SafeShellExecute ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"NetIQExecObject.NetIQExec"; fast_pattern:only; content:"SafeShellExecute"; nocase; metadata:service smtp; reference:cve,2015-0795; classtype:attempted-user; sid:35617; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NetIQ SafeShellExecute ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"NetIQExecObject.NetIQExec"; fast_pattern:only; content:"SafeShellExecute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0795; classtype:attempted-user; sid:35616; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS NetIQ SafeShellExecute ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"F7859572-CD8C-11D5-AFC6-009027888EC0"; fast_pattern:only; content:"SafeShellExecute"; nocase; metadata:service smtp; reference:cve,2015-0795; classtype:attempted-user; sid:35615; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NetIQ SafeShellExecute ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F7859572-CD8C-11D5-AFC6-009027888EC0"; fast_pattern:only; content:"SafeShellExecute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0795; classtype:attempted-user; sid:35614; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality Trillium TSS12.LoaderWizard.lwctrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TSS12.LoaderWizard.lwctrl"; fast_pattern:only; pcre:"/(SetEntities|SetBasicPreviewData)/i"; metadata:service smtp; reference:bugtraq,75803; reference:bugtraq,75806; reference:cve,2015-0444; reference:cve,2015-4759; classtype:attempted-user; sid:35700; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality Trillium TSS12.LoaderWizard.lwctrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TSS12.LoaderWizard.lwctrl"; fast_pattern:only; pcre:"/(SetEntities|SetBasicPreviewData)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75803; reference:bugtraq,75806; reference:cve,2015-0444; reference:cve,2015-4759; classtype:attempted-user; sid:35699; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Data Quality Trillium TSS12.LoaderWizard.lwctrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"357DB9E3-72A6-41AA-9BA5-4A9D12E57ACD"; fast_pattern:only; pcre:"/(SetEntities|SetBasicPreviewData)/i"; metadata:service smtp; reference:bugtraq,75803; reference:bugtraq,75806; reference:cve,2015-0444; reference:cve,2015-4759; classtype:attempted-user; sid:35698; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Data Quality Trillium TSS12.LoaderWizard.lwctrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"357DB9E3-72A6-41AA-9BA5-4A9D12E57ACD"; fast_pattern:only; pcre:"/(SetEntities|SetBasicPreviewData)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,75803; reference:bugtraq,75806; reference:cve,2015-0444; reference:cve,2015-4759; classtype:attempted-user; sid:35697; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,2525,587] (msg:"BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt"; flow:to_server,established; file_data; content:"generateCRMFRequest"; fast_pattern:only; content:"WScript"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,61900; reference:cve,2013-1710; reference:url,mozilla.org/security/announce/2013/mfsa2013-69.html; reference:url,rapid7.com/db/modules/exploit/multi/browser/firefox_tostring_console_injection; classtype:attempted-user; sid:35686; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt"; flow:to_client,established; file_data; content:"generateCRMFRequest"; fast_pattern:only; content:"WScript"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61900; reference:cve,2013-1710; reference:url,mozilla.org/security/announce/2013/mfsa2013-69.html; reference:url,rapid7.com/db/modules/exploit/multi/browser/firefox_tostring_console_injection; classtype:attempted-user; sid:35685; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"MicWebAjax.GeneralEventHandler"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-2368; classtype:attempted-user; sid:36119; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MicWebAjax.GeneralEventHandler"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2368; classtype:attempted-user; sid:36118; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FDE39A6A-F2CA-49C3-9047-CB7F70EC2D58"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-2368; classtype:attempted-user; sid:36117; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FDE39A6A-F2CA-49C3-9047-CB7F70EC2D58"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2368; classtype:attempted-user; sid:36116; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access"; flow:to_server,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"InterfaceFilter"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9208; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-251-01; reference:url,seclists.org/fulldisclosure/2015/Sep/20; classtype:attempted-user; sid:36112; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access"; flow:to_server,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"InterfaceFilter"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9208; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-251-01; reference:url,seclists.org/fulldisclosure/2015/Sep/20; classtype:attempted-user; sid:36111; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access"; flow:to_client,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"InterfaceFilter"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9208; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-251-01; reference:url,seclists.org/fulldisclosure/2015/Sep/20; classtype:attempted-user; sid:36110; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access"; flow:to_client,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"InterfaceFilter"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9208; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-251-01; reference:url,seclists.org/fulldisclosure/2015/Sep/20; classtype:attempted-user; sid:36109; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"DA56F851-D3C5-11D3-844C-00C04F7A06E5"; fast_pattern:only; metadata:service smtp; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:36320; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; fast_pattern:only; content:"DrawIcon"; nocase; metadata:service smtp; reference:bugtraq,41547; classtype:attempted-user; sid:36350; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; fast_pattern:only; content:"DrawIcon"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,41547; classtype:attempted-user; sid:36349; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3bee4890-4fe9-4a37-8c1e-5e7e12791c1f"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:36434; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"47206204-5eca-11d2-960f-00c04f8ee628"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:36433; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36491; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36490; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36489; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36488; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36487; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36486; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36485; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36484; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"CreateObject"; nocase; content:"TeeChart.TChart"; within:50; nocase; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36483; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"CreateObject"; nocase; content:"TeeChart.TChart"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36482; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ActiveXObject"; nocase; content:"TeeChart.TChart"; within:50; nocase; metadata:service smtp; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36481; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric TeeChart ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"TeeChart.TChart"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50837; reference:cve,2011-4034; reference:url,scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page; classtype:attempted-user; sid:36480; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access"; flow:to_server,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"ConvToSafeArray"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36475; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access"; flow:to_client,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"ConvToSafeArray"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36474; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access"; flow:to_server,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"ConvToSafeArray"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36473; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access"; flow:to_client,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"ConvToSafeArray"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36472; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access"; flow:to_server,established; file_data; content:"4B3476C6-185A-4D19-BB09-718B565FA67B"; fast_pattern:only; content:"SetText"; nocase; metadata:service smtp; classtype:attempted-user; sid:36517; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access"; flow:to_server,established; file_data; content:"4B3476C6-185A-4D19-BB09-718B565FA67B"; fast_pattern:only; content:"ConvertFile"; nocase; metadata:service smtp; classtype:attempted-user; sid:36516; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access"; flow:to_client,established; file_data; content:"4B3476C6-185A-4D19-BB09-718B565FA67B"; fast_pattern:only; content:"SetText"; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:36515; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access"; flow:to_client,established; file_data; content:"4B3476C6-185A-4D19-BB09-718B565FA67B"; fast_pattern:only; content:"ConvertFile"; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:36514; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"IERPCtl.IERPCtl.1"; fast_pattern:only; content:"Import"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26130; reference:bugtraq,30379; reference:cve,2007-5601; reference:cve,2008-3066; classtype:attempted-user; sid:36496; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"IERPCtl.IERPCtl.1"; fast_pattern:only; content:"Import"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26130; reference:bugtraq,30379; reference:cve,2007-5601; reference:cve,2008-3066; classtype:attempted-user; sid:36495; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt"; flow:to_server,established; file_data; content:"AnnotationX.AnnList"; fast_pattern:only; content:"Add"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,52765; reference:cve,2012-5896; classtype:attempted-user; sid:36534; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; fast_pattern:only; content:"Add"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,52765; reference:cve,2012-5896; classtype:attempted-user; sid:36533; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access"; flow:to_server,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"GetWideStrCpy"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36621; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access"; flow:to_server,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"GetWideStrCpy"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36620; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access"; flow:to_client,established; file_data; content:"AspVCObj.AspDataDriven"; fast_pattern:only; content:"GetWideStrCpy"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36619; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access"; flow:to_client,established; file_data; content:"89D00354-B2EA-4755-915D-615D3962C7D7"; fast_pattern:only; content:"GetWideStrCpy"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76672; reference:cve,2014-9208; classtype:attempted-user; sid:36618; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TTF161.TTF1.6"; fast_pattern:only; content:"SetDevNames"; nocase; metadata:service smtp; reference:cve,2011-5167; classtype:attempted-user; sid:36648; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B0475003-7740-11D1-BDC3-0020AF9F8E6E"; fast_pattern:only; content:"SetDevNames"; nocase; metadata:service smtp; reference:cve,2011-5167; classtype:attempted-user; sid:36647; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access"; flow:to_server,established; file_data; content:"0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53879; reference:cve,2012-2175; classtype:attempted-user; sid:36646; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access"; flow:to_client,established; file_data; content:"0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53879; reference:cve,2012-2175; classtype:attempted-user; sid:36645; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access"; flow:to_server,established; file_data; content:"dwa85.dwa85"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53879; reference:cve,2012-2175; classtype:attempted-user; sid:36644; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"AccessCode"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,66728; reference:cve,2014-0767; classtype:attempted-user; sid:36643; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"AccessCode"; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,66728; reference:cve,2014-0767; classtype:attempted-user; sid:36642; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"AccessCode"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66728; reference:cve,2014-0767; classtype:attempted-user; sid:36641; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"AccessCode"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66728; reference:cve,2014-0767; classtype:attempted-user; sid:36640; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access"; flow:to_server,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"GotoCmd"; nocase; metadata:service smtp; reference:bugtraq,66722; reference:cve,2014-0765; classtype:attempted-user; sid:36665; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access"; flow:to_server,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"GotoCmd"; nocase; metadata:service smtp; reference:bugtraq,66722; reference:cve,2014-0765; classtype:attempted-user; sid:36664; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access"; flow:to_client,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"GotoCmd"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,66722; reference:cve,2014-0765; classtype:attempted-user; sid:36663; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access"; flow:to_client,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"GotoCmd"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66722; reference:cve,2014-0765; classtype:attempted-user; sid:36662; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_server,established; file_data; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; fast_pattern:only; metadata:policy security-ips alert, service smtp; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:36654; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access"; flow:to_client,established; file_data; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; fast_pattern:only; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65038; reference:cve,2013-6040; classtype:attempted-user; sid:36653; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access"; flow:to_server,established; file_data; content:"DHTMLSafe.DHTMLSafe"; fast_pattern:only; content:"LoadURL"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:bugtraq,36280; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:36783; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access"; flow:to_server,established; file_data; content:"2D360201-FFF5-11D1-8D03-00A0C959BC0A"; fast_pattern:only; content:"LoadURL"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:bugtraq,36280; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:36782; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access"; flow:to_server,established; file_data; content:"AE24FDAE-03C6-11D1-8B76-0080C744F389"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:36772; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access"; flow:to_server,established; file_data; content:"EF28418F-FFB2-11D0-861A-00A0C903A97F"; fast_pattern:only; metadata:service smtp; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; classtype:attempted-user; sid:36792; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EBA15B30-80B4-11DC-B31D-0050C2490048"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service smtp; reference:cve,2008-2283; classtype:attempted-user; sid:36872; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EBA15B30-80B4-11DC-B31D-0050C2490048"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2283; classtype:attempted-user; sid:36871; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service smtp; reference:cve,2008-2283; classtype:attempted-user; sid:36870; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2283; classtype:attempted-user; sid:36869; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"0C3874AA-AB39-4B5E-A768-45F3CE6C6819"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service smtp; reference:cve,2008-2283; classtype:attempted-user; sid:36868; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"DB67DB99-616A-4CAB-A3A1-2EF644F254E7"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service smtp; reference:cve,2008-2283; classtype:attempted-user; sid:36867; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"DB67DB99-616A-4CAB-A3A1-2EF644F254E7"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2283; classtype:attempted-user; sid:36866; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0C3874AA-AB39-4B5E-A768-45F3CE6C6819"; fast_pattern:only; pcre:"/Save(BarCode|EnhWMF)/i"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2283; classtype:attempted-user; sid:36865; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ClearQuest session ActiveX control access"; flow:established,to_server; file_data; content:"CLEARQUEST.SESSION"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0708; classtype:attempted-user; sid:36892; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ClearQuest session ActiveX control access"; flow:established,to_server; file_data; content:"94773112-72E8-11D0-A42E-00A024DED613"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0708; classtype:attempted-user; sid:36891; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FBAB033B-CDD0-4C5E-81AB-AEA575CD1338"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0940; classtype:attempted-user; sid:37044; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FBAB033B-CDD0-4C5E-81AB-AEA575CD1338"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0940; classtype:attempted-user; sid:37043; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"CAPICOM.Certificates"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0940; classtype:attempted-user; sid:37042; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"17E3A1C3-EA8A-4970-AF29-7F54610B1D4C"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0940; classtype:attempted-user; sid:37041; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"17E3A1C3-EA8A-4970-AF29-7F54610B1D4C"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0940; classtype:attempted-user; sid:37040; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Barcode.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Barcode.MW6Barcode"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:37023; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MW6 Technologies Barcode.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Barcode.MW6Barcode"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:37022; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MW6 Technologies Barcode.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"14D09688-CFA7-11D5-995A-005004CE563B"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:37021; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AAA EasyGrid DoSaveFile ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EasyGrid.SGCtrl.32"; fast_pattern:only; content:"DoSaveFile"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2009-0134; classtype:attempted-user; sid:37008; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AAA EasyGrid DoSaveFile ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EasyGrid.SGCtrl.32"; fast_pattern:only; content:"DoSaveFile"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0134; classtype:attempted-user; sid:37007; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AAA EasyGrid DoSaveFile ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; fast_pattern:only; content:"DoSaveFile"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2009-0134; classtype:attempted-user; sid:37006; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AAA EasyGrid DoSaveFile ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; fast_pattern:only; content:"DoSaveFile"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0134; classtype:attempted-user; sid:37005; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_server,established; file_data; content:"|E5 3D 0F 6C 36 58 2C 22 4C D5 43 63 94 D9 82 69 B9 03 6D 79 CF 2B 6E D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:37268; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_client,established; file_data; content:"|E5 3D 0F 6C 36 58 2C 22 4C D5 43 63 94 D9 82 69 B9 03 6D 79 CF 2B 6E D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:37267; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"F1BookView"; fast_pattern:only; pcre:"/(AttachToSS|CopyAll|CopyRange|CopyRangeEx|SwapTable)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8561; classtype:attempted-user; sid:37515; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"F1BookView"; fast_pattern:only; pcre:"/(AttachToSS|CopyAll|CopyRange|CopyRangeEx|SwapTable)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8561; classtype:attempted-user; sid:37514; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"13E51031-A52B-11D0-86DA-00608CB9FBFB"; fast_pattern:only; pcre:"/(AttachToSS|CopyAll|CopyRange|CopyRangeEx|SwapTable)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8561; classtype:attempted-user; sid:37513; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"13E51031-A52B-11D0-86DA-00608CB9FBFB"; fast_pattern:only; pcre:"/(attachToSS|CopyAll|CopyRange|CopyRangeEx|SwapTable)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8561; classtype:attempted-user; sid:37512; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"mdsauth.dll"; fast_pattern:only; content:"SaveAs"; nocase; metadata:service smtp; reference:cve,2007-2221; classtype:attempted-user; sid:37510; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"mdsauth.dll"; fast_pattern:only; content:"SaveAs"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-2221; classtype:attempted-user; sid:37509; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"D4FE6227-1288-11D0-9097-00AA004254A0"; fast_pattern:only; content:"SaveAs"; nocase; metadata:service smtp; reference:cve,2007-2221; classtype:attempted-user; sid:37508; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"D4FE6227-1288-11D0-9097-00AA004254A0"; fast_pattern:only; content:"SaveAs"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-2221; classtype:attempted-user; sid:37507; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SolidEdge.WebPartHelper"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60158; classtype:attempted-user; sid:37544; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"DD568718-FF20-48EA-973F-0BD5C9FCA522"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60158; classtype:attempted-user; sid:37543; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SEListCtrlX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60161; classtype:attempted-user; sid:37542; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60161; classtype:attempted-user; sid:37541; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SolidEdge.WebPartHelper"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60158; classtype:attempted-user; sid:37540; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"DD568718-FF20-48EA-973F-0BD5C9FCA522"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60158; classtype:attempted-user; sid:37539; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SEListCtrlX"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60161; classtype:attempted-user; sid:37538; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60161; classtype:attempted-user; sid:37537; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS SizerOne ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"2315B059-EDD7-4C66-933C-ECFF5B9DD593"; fast_pattern:only; content:"AddTab"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:37625; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"VSFlexGrid8.VSFlexGridL"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59557; reference:bugtraq,64095; reference:bugtraq,66116; reference:cve,2012-5945; reference:cve,2013-5057; reference:cve,2014-0895; classtype:attempted-user; sid:37678; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"0f026c11-5a66-4c2b-87b5-88ddebae72a1"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59557; reference:bugtraq,64095; reference:bugtraq,66116; reference:cve,2012-5945; reference:cve,2013-5057; reference:cve,2014-0895; classtype:attempted-user; sid:37677; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Unitronics VisiLogic TeeChart Pro ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TeeChart.TeeCommander"; fast_pattern:only; content:"ChartLink"; nocase; metadata:service smtp; reference:cve,2015-6478; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-274-02A; classtype:attempted-user; sid:37714; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Unitronics VisiLogic TeeChart Pro ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TeeChart.TeeCommander"; fast_pattern:only; content:"ChartLink"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6478; reference:url,ics-cert.us-cert.gov/advisories/ICSA-15-274-02A; classtype:attempted-user; sid:37713; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX function call access attempt"; flow:to_server,established; file_data; content:"HP_LR_FileIOService"; fast_pattern:only; content:"WriteFileBinary"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-2370; classtype:attempted-user; sid:37827; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP LoadRunner ActiveX function call access attempt"; flow:to_client,established; file_data; content:"HP_LR_FileIOService"; fast_pattern:only; content:"WriteFileBinary"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2370; classtype:attempted-user; sid:37826; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS InformationCardSigninHelper ActiveX function call access"; flow:established,to_server; file_data; content:"InformationCardSigninHelper"; fast_pattern:only; content:".requiredClaims"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-090; classtype:attempted-user; sid:37823; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS InformationCardSigninHelper ActiveX clsid access"; flow:established,to_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; fast_pattern:only; content:".requiredClaims"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-090; classtype:attempted-user; sid:37822; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.zip&file.silverlight; file_data; content:".dll|ED 7B 7B 74 1C E7 75 DF 9D D9 DD D9 17 00 72 01 E2 45 BC 16 A0 28 2E 09 60 F1 24 40 52 24 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58327; reference:cve,2013-0074; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-022; classtype:attempted-user; sid:37801; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"a9d7038d-b5ed-472e-9c47-94bea90a5910"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38011; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"MsTsAx.MsTsAx."; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38010; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"MsRDP.MsRDP."; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38009; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"971127BB-259F-48c2-BD75-5F97A3331551"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38008; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38007; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"7584c670-2274-4efb-b00b-d6aaba6d3850"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38006; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38005; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38004; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"54CE37E0-9834-41ae-9896-4DAB69DC022B"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38003; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38002; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt"; flow:to_server,established; file_data; content:"4EDCB26C-D24C-4e72-AF07-B576699AC0DE"; fast_pattern:only; content:"Settings"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58874; reference:cve,2013-1296; reference:cve,2013-1302; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-041; classtype:attempted-user; sid:38001; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_server,established; file_data; content:"MsRdpClient"; fast_pattern:only; pcre:"/[\x22\x27]\s*MsRdpClient\s*[\x22\x27]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1302; classtype:attempted-user; sid:38000; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_server,established; file_data; content:"A9D7038D-B5ED-472E-9C47-94BEA90A591"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1302; classtype:attempted-user; sid:37999; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_server,established; file_data; content:"7390F3D8-0439-4C05-91E3-CF5CB290C3D0"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1302; classtype:attempted-user; sid:37998; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_client,established; file_data; content:"MsRdpClient"; fast_pattern:only; pcre:"/[\x22\x27]\s*MsRdpClient\s*[\x22\x27]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1302; classtype:attempted-user; sid:37997; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_client,established; file_data; content:"A9D7038D-B5ED-472E-9C47-94BEA90A591"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1302; classtype:attempted-user; sid:37996; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IE MsRdpClient ActiveX attempt"; flow:to_client,established; file_data; content:"7390F3D8-0439-4C05-91E3-CF5CB290C3D0"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1302; classtype:attempted-user; sid:37995; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection ActiveX buffer overflow function call attempt"; flow:to_server,established; file_data; content:"R1winCtrl"; fast_pattern:only; content:"r2axctrl"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,www.exploit-db.com/exploits/12650/; classtype:attempted-user; sid:37902; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection ActiveX buffer overflow function call attempt"; flow:to_client,established; file_data; content:"R1winCtrl"; fast_pattern:only; content:"r2axctrl"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.exploit-db.com/exploits/12650/; classtype:attempted-user; sid:37901; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Attachmate Reflection ActiveX buffer overflow clsid attempt"; flow:to_server,established; file_data; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; fast_pattern:only; content:"r2axctrl"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,www.exploit-db.com/exploits/12650/; classtype:attempted-user; sid:37900; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Attachmate Reflection ActiveX buffer overflow clsid attempt"; flow:to_client,established; file_data; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; fast_pattern:only; content:"r2axctrl"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.exploit-db.com/exploits/12650/; classtype:attempted-user; sid:37899; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Isig.isigCtl"; fast_pattern:only; content:"RunAndUploadFile"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0198; classtype:attempted-user; sid:37885; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"84B74E82-3475-420E-9949-773B4FB91771"; fast_pattern:only; content:"RunAndUploadFile"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0198; classtype:attempted-user; sid:37884; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SizerOne ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"C1Tab.C1Tab"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59559; reference:cve,2012-5946; classtype:attempted-user; sid:37883; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SizerOne ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C1Tab.C1Tab"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59559; reference:cve,2012-5946; classtype:attempted-user; sid:37882; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:37875; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"7A758D94-E900-11D5-8467-00B0D023B202"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:37874; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; fast_pattern:only; pcre:"/(BrowseAndSaveFile|RunCMD)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:16587; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WESPDiscovery.WESPDiscoveryCtrl"; fast_pattern:only; content:"TCPDiscovery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72843; reference:cve,2015-2100; classtype:attempted-user; sid:38155; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"BC2CAA45-7DBB-4459-9013-3E7A2C933D21"; fast_pattern:only; content:"TCPDiscovery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72843; reference:cve,2015-2100; classtype:attempted-user; sid:38154; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WESPDiscovery.WESPDiscoveryCtrl"; fast_pattern:only; content:"TCPDiscovery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72843; reference:cve,2015-2100; classtype:attempted-user; sid:38153; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"BC2CAA45-7DBB-4459-9013-3E7A2C933D21"; fast_pattern:only; content:"TCPDiscovery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72843; reference:cve,2015-2100; classtype:attempted-user; sid:38152; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Altiris.AeXNSConsoleUtilities"; fast_pattern:only; pcre:"/(BrowseAndSaveFile|RunCMD)/i"; metadata:service smtp; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:38151; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TomSawyer.TSUnicodeGraphEditorControl"; fast_pattern:only; content:"loadExtensionFactory"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72600; reference:cve,2015-1500; classtype:attempted-user; sid:38149; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"838C3A5C-EC12-409E-867A-0F1B296E99A4"; fast_pattern:only; content:"loadExtensionFactory"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72600; reference:cve,2015-1500; classtype:attempted-user; sid:38148; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TomSawyer.TSUnicodeGraphEditorControl"; fast_pattern:only; content:"loadExtensionFactory"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72600; reference:cve,2015-1500; classtype:attempted-user; sid:38147; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"838C3A5C-EC12-409E-867A-0F1B296E99A4"; fast_pattern:only; content:"loadExtensionFactory"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72600; reference:cve,2015-1500; classtype:attempted-user; sid:38146; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_server,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"poc|2E|avi"; fast_pattern:only; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:38144; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_server,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"SendPlayStateChangeEvents"; fast_pattern:only; content:"event=|22|playStateChange|28|state|29 22|>onstatechange"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:38143; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_server,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:".appendChild"; nocase; content:".removeChild"; within:100; nocase; content:"delete"; within:100; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:38142; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:".appendChild"; nocase; content:".removeChild"; within:100; nocase; content:"delete"; within:100; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:38141; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WESPPLAYBACK.WESPPlaybackCtrl"; fast_pattern:only; content:"GetThumbnail"; nocase; metadata:service smtp; reference:bugtraq,72834; reference:cve,2015-2099; classtype:attempted-user; sid:38233; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; content:"GetThumbnail"; nocase; metadata:service smtp; reference:bugtraq,72834; reference:cve,2015-2099; classtype:attempted-user; sid:38232; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"WESPPLAYBACK.WESPPlaybackCtrl"; fast_pattern:only; content:"GetThumbnail"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,72834; reference:cve,2015-2099; classtype:attempted-user; sid:38231; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; content:"GetThumbnail"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,72834; reference:cve,2015-2099; classtype:attempted-user; sid:38230; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:38384; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt"; flow:established,to_client; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38383; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"13E51031-A52B-11D0-86DA-00608CB9FBFB"; fast_pattern:only; pcre:"/(Attach|DefinedName|DefinedNameLocal|ODBCPrepareEx|ObjCreatePolygon|SetTabbedTextEx|SetValidationRule)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7918; classtype:attempted-user; sid:38436; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"13E51031-A52B-11D0-86DA-00608CB9FBFB"; fast_pattern:only; pcre:"/(Attach|DefinedName|DefinedNameLocal|ODBCPrepareEx|ObjCreatePolygon|SetTabbedTextEx|SetValidationRule)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7918; classtype:attempted-user; sid:38435; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt"; flow:to_server,established; file_data; content:"Msxml2.DOMDocument.3.0"; fast_pattern:only; content:"loadXML"; nocase; content:"ELEMENT"; content:"ref"; within:10; content:"EMPTY"; within:10; content:"DOCTYPE"; content:"root"; within:10; content:"ELEMENT"; within:25; content:"root"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-040; classtype:attempted-user; sid:38464; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft XML Core Services ActiveX control use after free attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; fast_pattern:only; content:"loadXML"; nocase; content:"ELEMENT"; content:"ref"; within:10; content:"EMPTY"; within:10; content:"DOCTYPE"; content:"root"; within:10; content:"ELEMENT"; within:25; content:"root"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-040; classtype:attempted-user; sid:38463; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt"; flow:to_server,established; file_data; content:"NavComUI.AxSysListView32OAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:38540; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FAF02D9B-963D-43D8-91A6-E71383503FDA"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:38539; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt"; flow:to_server,established; file_data; content:"NavComUI.AxSysListView32"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:38538; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"0A398EE6-277C-480D-BD4F-3288EA3AB8E2"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:38537; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2AFA9F10-0B6A-11D2-A250-00A024D8324D"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61828; reference:cve,2013-5022; classtype:attempted-user; sid:29092; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"CW3DGraphLib.CWGraph3D"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,61828; reference:cve,2013-5022; classtype:attempted-user; sid:29508; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"2AFA9F10-0B6A-11D2-A250-00A024D8324D"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,61828; reference:cve,2013-5022; classtype:attempted-user; sid:29507; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"CW3DGraphLib.CWGraph3D"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61828; reference:cve,2013-5022; classtype:attempted-user; sid:29506; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B5D4B42F-AD6E-11D3-BE97-0090FE014643"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:39044; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B5D4B42F-AD6E-11D3-BE97-0090FE014643"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:39043; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS National Instruments ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B68DBFAB-16A0-11CE-80BF-0020AF31CEF9"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2013-5025; classtype:attempted-user; sid:39042; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS National Instruments ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B68DBFAB-16A0-11CE-80BF-0020AF31CEF9"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5025; classtype:attempted-user; sid:39041; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"9EB8768B-CDFA-44DF-8F3E-857A8405E1DB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:39039; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9EB8768B-CDFA-44DF-8F3E-857A8405E1DB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:39038; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"E57AF4A2-EF57-41D0-8512-FECDA78F1FE7"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2011-4529; classtype:attempted-user; sid:39055; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"E57AF4A2-EF57-41D0-8512-FECDA78F1FE7"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4529; classtype:attempted-user; sid:39054; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"RunAndUploadFile"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0198; classtype:attempted-user; sid:39168; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Tivoli Provisioning Manager Express ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"84B74E82-3475-420E-9949-773B4FB91771"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0198; classtype:attempted-user; sid:39167; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt"; flow:to_server,established; file_data; content:"VSFlexGrid.VSFlexGridL"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59556; reference:cve,2012-5947; classtype:attempted-user; sid:39377; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt"; flow:to_server,established; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; fast_pattern:only; content:"ComboList"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59556; reference:cve,2012-5947; classtype:attempted-user; sid:39376; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"AUTOVUE.AutoVueXCtrl.1"; fast_pattern:only; content:"ExportEdaBom"; nocase; metadata:service smtp; reference:bugtraq,50332; classtype:attempted-user; sid:39375; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"AUTOVUE.AutoVueXCtrl.1"; fast_pattern:only; content:"ExportEdaBom"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50332; classtype:attempted-user; sid:39374; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"ExportEdaBom"; nocase; metadata:service smtp; reference:bugtraq,50332; classtype:attempted-user; sid:39373; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; fast_pattern:only; content:"ExportEdaBom"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50332; classtype:attempted-user; sid:39372; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TList.TList.6"; fast_pattern:only; content:"SaveData"; nocase; metadata:service smtp; reference:bugtraq,50476; classtype:attempted-user; sid:39384; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TList.TList.6"; fast_pattern:only; content:"SaveData"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50476; classtype:attempted-user; sid:39383; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"65996200-3B87-11D4-A21F-00E029189826"; fast_pattern:only; content:"SaveData"; nocase; metadata:service smtp; reference:bugtraq,50476; classtype:attempted-user; sid:39382; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"65996200-3B87-11D4-A21F-00E029189826"; fast_pattern:only; content:"SaveData"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50476; classtype:attempted-user; sid:39381; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"C28A127E-4A85-11D3-A5FF-00A0249E352D"; fast_pattern:only; metadata:service smtp; reference:cve,2013-2817; classtype:attempted-user; sid:39880; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C28A127E-4A85-11D3-A5FF-00A0249E352D"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2817; classtype:attempted-user; sid:39879; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access"; flow:to_server,established; file_data; content:"yrotcaFtxEtluafeD.reywaSmoT"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2217; classtype:attempted-user; sid:39896; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access"; flow:to_client,established; file_data; content:"yrotcaFtxEtluafeD.reywaSmoT"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2217; classtype:attempted-user; sid:39895; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"850AF9FD-AA09-11D2-B6AF-006008750EEC"; fast_pattern:only; metadata:service smtp; reference:cve,2014-1848; classtype:attempted-user; sid:39892; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"850AF9FD-AA09-11D2-B6AF-006008750EEC"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1848; classtype:attempted-user; sid:39891; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"iStripChartX"; fast_pattern:only; content:"Exec"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.iocomp.com; classtype:attempted-user; sid:39935; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"D1120C80-28C7-11D3-85BF-00105AC8B715"; fast_pattern:only; content:"Exec"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.iocomp.com; classtype:attempted-user; sid:39934; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"iStripChartX"; fast_pattern:only; content:"Exec"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.iocomp.com; classtype:attempted-user; sid:39933; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"D1120C80-28C7-11D3-85BF-00105AC8B715"; fast_pattern:only; content:"Exec"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.iocomp.com; classtype:attempted-user; sid:39932; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS KingView clsid access attempt"; flow:to_server,established; file_data; content:"KChartXY"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2013-6128; classtype:attempted-user; sid:39917; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS KingView clsid access attempt"; flow:to_server,established; file_data; content:"A9A2011A-1E02-4242-AAE0-B239A6F88BAC"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2013-6128; classtype:attempted-user; sid:39916; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingView clsid access attempt"; flow:to_client,established; file_data; content:"KChartXY"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-6128; classtype:attempted-user; sid:39915; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingView clsid access attempt"; flow:to_client,established; file_data; content:"A9A2011A-1E02-4242-AAE0-B239A6F88BAC"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-6128; classtype:attempted-user; sid:39914; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; pcre:"/(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12989; reference:bugtraq,21155; reference:bugtraq,21338; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,adobe.com/support/security/advisories/apsa06-02.html; reference:url,adobe.com/support/techdocs/331465.html; classtype:attempted-user; sid:40023; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; pcre:"/(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12989; reference:bugtraq,21155; reference:bugtraq,21338; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,adobe.com/support/security/advisories/apsa06-02.html; reference:url,adobe.com/support/techdocs/331465.html; classtype:attempted-user; sid:40022; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCPrint"; fast_pattern:only; content:"SaveToXdgFile"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,ucancode.net; classtype:attempted-user; sid:39973; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A4FCBD44-6BF5-405C-9598-C8E8ADCE4488"; fast_pattern:only; content:"SaveToXdgFile"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,ucancode.net; classtype:attempted-user; sid:39972; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCPrint"; fast_pattern:only; content:"SaveToXdgFile"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,ucancode.net; classtype:attempted-user; sid:39971; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A4FCBD44-6BF5-405C-9598-C8E8ADCE4488"; fast_pattern:only; content:"SaveToXdgFile"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,ucancode.net; classtype:attempted-user; sid:39970; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Moxa VPort SDK PLUS ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"VPortSDK"; fast_pattern:only; content:"SetClientReg"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0986; classtype:attempted-user; sid:39966; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Moxa VPort SDK PLUS ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"064A0198-F3AB-478A-8C04-EE647284D9AE"; fast_pattern:only; content:"SetClientReg"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0986; classtype:attempted-user; sid:39965; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Moxa VPort SDK PLUS ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"VPortSDK"; fast_pattern:only; content:"SetClientReg"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0986; classtype:attempted-user; sid:39964; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Moxa VPort SDK PLUS ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"064A0198-F3AB-478A-8C04-EE647284D9AE"; fast_pattern:only; content:"SetClientReg"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0986; classtype:attempted-user; sid:39963; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"VideoDAQ"; fast_pattern:only; content:"WriteBmp"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,eastexploits.com/published/1036; classtype:attempted-user; sid:39962; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"C74A30E2-09B4-443B-B661-AD4F23781674"; fast_pattern:only; content:"WriteBmp"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,eastexploits.com/published/1036; classtype:attempted-user; sid:39961; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"VideoDAQ"; fast_pattern:only; content:"WriteBmp"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,eastexploits.com/published/1036; classtype:attempted-user; sid:39960; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C74A30E2-09B4-443B-B661-AD4F23781674"; fast_pattern:only; content:"WriteBmp"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,eastexploits.com/published/1036; classtype:attempted-user; sid:39959; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"CNC_Ctrl"; fast_pattern:only; content:"rtsp_getdlsendtime"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8040; classtype:attempted-user; sid:40348; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"CNC_Ctrl"; fast_pattern:only; content:"rtsp_getdlsendtime"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8040; classtype:attempted-user; sid:40347; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; fast_pattern:only; content:"rtsp_getdlsendtime"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8040; classtype:attempted-user; sid:40346; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; fast_pattern:only; content:"rtsp_getdlsendtime"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8040; classtype:attempted-user; sid:40345; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_server,established; file_data; content:"|60 84 EC 20 4B DE 29 F1 87 82 2C F9 8F 80 9C D5 BC 16 AC A6 2A C0 08 6D 57 1E F6 47 29 A9 3C 0F AF 8D 2A 2C 73 AB C2 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:40814; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_client,established; file_data; content:"|60 84 EC 20 4B DE 29 F1 87 82 2C F9 8F 80 9C D5 BC 16 AC A6 2A C0 08 6D 57 1E F6 47 29 A9 3C 0F AF 8D 2A 2C 73 AB C2 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:40813; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,2525,587] (msg:"BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt"; flow:to_server,established; file_data; content:"generateCRMFRequest"; fast_pattern:only; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service smtp; reference:bugtraq,61900; reference:cve,2013-1710; reference:url,mozilla.org/security/announce/2013/mfsa2013-69.html; reference:url,rapid7.com/db/modules/exploit/multi/browser/firefox_tostring_console_injection; classtype:attempted-user; sid:41423; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt"; flow:to_client,established; file_data; content:"generateCRMFRequest"; fast_pattern:only; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,61900; reference:cve,2013-1710; reference:url,mozilla.org/security/announce/2013/mfsa2013-69.html; reference:url,rapid7.com/db/modules/exploit/multi/browser/firefox_tostring_console_injection; classtype:attempted-user; sid:41422; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS NTR Check buffer overflow attempt"; flow:to_server,established; file_data; content:"E6ACF817-0A85-4EBE-9F0A-096C6488CFEA"; fast_pattern:only; content:"Check"; nocase; metadata:service smtp; reference:cve,2012-0266; reference:url,exploit-db.com/exploits/21841/; classtype:attempted-user; sid:41492; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NTR Check buffer overflow attempt"; flow:to_client,established; file_data; content:"E6ACF817-0A85-4EBE-9F0A-096C6488CFEA"; fast_pattern:only; content:"Check"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0266; reference:url,exploit-db.com/exploits/21841/; classtype:attempted-user; sid:41491; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS NTR ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"lModule"; fast_pattern:only; content:"StopModule"; nocase; metadata:service smtp; reference:bugtraq,51374; reference:cve,2012-0267; classtype:attempted-user; sid:41503; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NTR ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"lModule"; fast_pattern:only; content:"StopModule"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,51374; reference:cve,2012-0267; classtype:attempted-user; sid:41502; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS NTR ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"E6ACF817-0A85-4EBE-9F0A-096C6488CFEA"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,51374; reference:cve,2012-0267; classtype:attempted-user; sid:41501; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS NTR ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"E6ACF817-0A85-4EBE-9F0A-096C6488CFEA"; fast_pattern:only; content:"StopModule"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51374; reference:cve,2012-0267; classtype:attempted-user; sid:41500; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS KingScada kxClientDownload ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"KxWebDownload_ocx"; fast_pattern:only; content:"ProjectURL"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2013-2827; classtype:attempted-user; sid:41669; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS KingScada kxClientDownload ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"1A90B808-6EEF-40FF-A94C-D7C43C847A9F"; fast_pattern:only; content:"ProjectURL"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2013-2827; classtype:attempted-user; sid:41668; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingScada kxClientDownload ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"KxWebDownload_ocx"; fast_pattern:only; content:"ProjectURL"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2827; classtype:attempted-user; sid:41667; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS KingScada kxClientDownload ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"1A90B808-6EEF-40FF-A94C-D7C43C847A9F"; fast_pattern:only; content:"ProjectURL"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2827; classtype:attempted-user; sid:41666; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ddactivereports"; fast_pattern:only; content:"SaveLayout"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2007-3982; classtype:attempted-user; sid:41806; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"9EB8768B-CDFA-44DF-8F3E-857A8405E1DB"; fast_pattern:only; content:"SaveLayout"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2007-3982; classtype:attempted-user; sid:41805; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ddactivereports"; fast_pattern:only; content:"SaveLayout"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3982; classtype:attempted-user; sid:41804; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9EB8768B-CDFA-44DF-8F3E-857A8405E1DB"; fast_pattern:only; content:"SaveLayout"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3982; classtype:attempted-user; sid:41803; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPEvent access attempt"; flow:to_client,established; file_data; content:"WESPEvent.WESPEventCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41838; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPEvent access attempt"; flow:to_server,established; content:"WESPEvent.WESPEventCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41837; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPEvent access attempt"; flow:to_server,established; file_data; content:"5A216ADB-3009-4211-AB77-F1857A99482C"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41836; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPEvent access attempt"; flow:to_client,established; file_data; content:"5A216ADB-3009-4211-AB77-F1857A99482C"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41835; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPTZ access attempt"; flow:to_server,established; file_data; content:"WESPPTZ.WESPPTZCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41834; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPTZ access attempt"; flow:to_client,established; file_data; content:"WESPPTZ.WESPPTZCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41833; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPTZ access attempt"; flow:to_server,established; file_data; content:"359742AF-BF34-4379-A084-B7BF0E5F34B0"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41832; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPTZ access attempt"; flow:to_client,established; file_data; content:"359742AF-BF34-4379-A084-B7BF0E5F34B0"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41831; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPlayback access attempt"; flow:to_server,established; file_data; content:"WESPPlayback.WESPPlaybackCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41830; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPlayback access attempt"; flow:to_client,established; file_data; content:"WESPPlayback.WESPPlaybackCtrl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41829; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPlayback access attempt"; flow:to_server,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2098; classtype:attempted-admin; sid:41828; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS WebGate eDVR Manager WESPPlayback access attempt"; flow:to_client,established; file_data; content:"4E14C449-A61A-4BF7-8082-65A91298A6D8"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2098; classtype:attempted-admin; sid:41827; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ConfigurationAccessComponent"; fast_pattern:only; content:"UnsubscribeData"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2010-2974; classtype:attempted-user; sid:42125; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"55414847-A533-4642-8E92-76B191B24B87"; fast_pattern:only; content:"UnsubscribeData"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2010-2974; classtype:attempted-user; sid:42124; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ConfigurationAccessComponent"; fast_pattern:only; content:"UnsubscribeData"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2974; classtype:attempted-user; sid:42123; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"55414847-A533-4642-8E92-76B191B24B87"; fast_pattern:only; content:"UnsubscribeData"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2974; classtype:attempted-user; sid:42122; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"E4F874A0-56ED-11D0-9C43-00A0C90F29FC"; fast_pattern:only; content:"save"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www-03.ibm.com/software/products/en/spss-samplepower; classtype:attempted-user; sid:42909; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ActiveBarLibrary.ActiveBar.1"; fast_pattern:only; content:"save"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www-03.ibm.com/software/products/en/spss-samplepower; classtype:attempted-user; sid:42908; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"E4F874A0-56ED-11D0-9C43-00A0C90F29FC"; fast_pattern:only; content:"save"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www-03.ibm.com/software/products/en/spss-samplepower; classtype:attempted-user; sid:42907; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ActiveBarLibrary.ActiveBar.1"; fast_pattern:only; content:"save"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www-03.ibm.com/software/products/en/spss-samplepower; classtype:attempted-user; sid:42906; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"12697D97-5ECB-4E9B-B045-E6CB6E08D1B5"; fast_pattern:only; content:"SetDataIntf"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4529; classtype:attempted-user; sid:42856; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"12697D97-5ECB-4E9B-B045-E6CB6E08D1B5"; fast_pattern:only; content:"SetDataIntf"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4529; classtype:attempted-user; sid:42855; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt"; flow:to_server,established; file_data; content:"12697D97-5ECB-4E9B-B045-E6CB6E08D1B5"; fast_pattern:only; content:"GetEditGridPtr"; nocase; metadata:service smtp; reference:url,schneider-electric.com/en/download/document/SoMachine%20HVAC%20-%20Programming%20Software%20for%20Modicon%20M171-M172%20Logic%20Controllers/; classtype:attempted-user; sid:42922; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt"; flow:to_client,established; file_data; content:"12697D97-5ECB-4E9B-B045-E6CB6E08D1B5"; fast_pattern:only; content:"GetEditGridPtr"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,schneider-electric.com/en/download/document/SoMachine%20HVAC%20-%20Programming%20Software%20for%20Modicon%20M171-M172%20Logic%20Controllers/; classtype:attempted-user; sid:42921; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"McFreeScan.CoMcFreeScan.1"; fast_pattern:only; content:"GetSpecialFolderLocation"; nocase; metadata:service smtp; reference:bugtraq,10077; reference:cve,2004-1908; classtype:attempted-user; sid:43704; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EF791A6B-FC12-4C68-99EF-FB9E207A39E6"; fast_pattern:only; content:"GetSpecialFolderLocation"; nocase; metadata:service smtp; reference:bugtraq,10077; reference:cve,2004-1908; classtype:attempted-user; sid:43703; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"McFreeScan.CoMcFreeScan.1"; fast_pattern:only; content:"GetSpecialFolderLocation"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10077; reference:cve,2004-1908; classtype:attempted-user; sid:43702; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EF791A6B-FC12-4C68-99EF-FB9E207A39E6"; fast_pattern:only; content:"GetSpecialFolderLocation"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10077; reference:cve,2004-1908; classtype:attempted-user; sid:43701; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C"; fast_pattern:only; metadata:service smtp; reference:cve,2007-4902; classtype:attempted-user; sid:43650; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-4902; classtype:attempted-user; sid:43649; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"audio.Record"; fast_pattern:only; content:"Resample"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,45631; reference:cve,2011-3397; classtype:attempted-user; sid:43607; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt"; flow:to_server,established; file_data; content:"snpvw.Snapshot Viewer Control"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:43606; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt"; flow:to_server,established; file_data; content:"ActiveXObject"; content:"SnapshotPath"; content:"CompressedPath"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30114; reference:cve,2008-2463; reference:url,docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/955179; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-041; classtype:attempted-user; sid:43605; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt"; flow:established,to_server; file_data; content:"B20ABC7B-3858-11D6-8F7F-0000861EF01D"; fast_pattern:only; content:"Initialize"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,90524; reference:cve,2015-8530; reference:url,ibm.com/support/docview.wss?uid=swg21982035; classtype:attempted-user; sid:43538; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B20ABC7B-3858-11D6-8F7F-0000861EF01D"; fast_pattern:only; content:"Initialize"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,90524; reference:cve,2015-8530; classtype:attempted-user; sid:43537; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"6277B638-833D-4315-9D78-60FC451DAF07"; fast_pattern:only; metadata:service smtp; reference:cve,2007-5320; classtype:attempted-user; sid:43520; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6277B638-833D-4315-9D78-60FC451DAF07"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5320; classtype:attempted-user; sid:43519; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"QuickPlace.QuickPlace"; fast_pattern:only; pcre:"/(Impor|Attachmen)t_Times/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,53678; reference:cve,2012-2176; classtype:attempted-user; sid:43401; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"05D96F71-87C6-11D3-9BE4-00902742D6E0"; fast_pattern:only; pcre:"/(Impor|Attachmen)t_Times/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,53678; reference:cve,2012-2176; classtype:attempted-user; sid:43400; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; fast_pattern:only; metadata:service smtp; reference:cve,2007-5111; classtype:attempted-user; sid:43378; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5111; classtype:attempted-user; sid:43377; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8"; fast_pattern:only; metadata:service smtp; reference:cve,2007-5110; classtype:attempted-user; sid:43376; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5110; classtype:attempted-user; sid:43375; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"DivXBrowserPlugin"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0429; classtype:attempted-user; sid:43374; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"DivXBrowserPlugin"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0429; classtype:attempted-user; sid:43373; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"67DABFBF-D0AB-41FA-9C46-CC0F21721616"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0429; classtype:attempted-user; sid:43372; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"67DABFBF-D0AB-41FA-9C46-CC0F21721616"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0429; classtype:attempted-user; sid:43371; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar remote file write attempt ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ActiveBar3Library.ActiveBar3.3"; fast_pattern:only; content:"Save"; nocase; metadata:service smtp; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:43345; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar remote file write attempt ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; fast_pattern:only; content:"Save"; nocase; metadata:service smtp; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:43344; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar remote file write attempt ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ActiveBar3Library.ActiveBar3.3"; fast_pattern:only; content:"Save"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:43343; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Data Dynamics ActiveBar remote file write attempt ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; fast_pattern:only; content:"Save"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:43342; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SKSNTPLib.SKSntp"; fast_pattern:only; content:"Sntp"; nocase; pcre:"/Sntp(SendRequest|GetReply)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43323; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A3010B66-C229-11D5-B7BA-00C0F02DFC67"; fast_pattern:only; content:"Sntp"; nocase; pcre:"/Sntp(SendRequest|GetReply)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43322; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SKNETRESOURCELib.SKNetResource"; fast_pattern:only; content:"Net"; nocase; pcre:"/Net(ShareEnum|SessionDel|FileClose|ConnectionEnum)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43321; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"61251370-92BF-4A0E-8236-5904AC6FC9F2"; fast_pattern:only; content:"Net"; nocase; pcre:"/Net(ShareEnum|SessionDel|FileClose|ConnectionEnum)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43320; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SKICMPLib.SKIcmp"; fast_pattern:only; content:"AddDestination"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43319; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; fast_pattern:only; content:"AddDestination"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43318; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"SKDNSLib.SKDns"; fast_pattern:only; content:"DNSLookupHostWithServer"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43317; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B5ED1577-4576-11D5-851F-00D0B7A934F6"; fast_pattern:only; content:"DNSLookupHostWithServer"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43316; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SKSNTPLib.SKSntp"; fast_pattern:only; content:"Sntp"; nocase; pcre:"/Sntp(SendRequest|GetReply)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43315; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A3010B66-C229-11D5-B7BA-00C0F02DFC67"; fast_pattern:only; content:"Sntp"; nocase; pcre:"/Sntp(SendRequest|GetReply)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43314; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SKNETRESOURCELib.SKNetResource"; fast_pattern:only; content:"Net"; nocase; pcre:"/Net(ShareEnum|SessionDel|FileClose|ConnectionEnum)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43313; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"61251370-92BF-4A0E-8236-5904AC6FC9F2"; fast_pattern:only; content:"Net"; nocase; pcre:"/Net(ShareEnum|SessionDel|FileClose|ConnectionEnum)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43312; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SKICMPLib.SKIcmp"; fast_pattern:only; content:"AddDestination"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43311; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; fast_pattern:only; content:"AddDestination"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43310; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"SKDNSLib.SKDns"; fast_pattern:only; content:"DNSLookupHostWithServer"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43309; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B5ED1577-4576-11D5-851F-00D0B7A934F6"; fast_pattern:only; content:"DNSLookupHostWithServer"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.magnetosoft.com/products/software_development_tools; classtype:attempted-user; sid:43308; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"RavOLCtlLib.RavOnline"; fast_pattern:only; content:"Scan"; nocase; metadata:service smtp; reference:bugtraq,38282; classtype:attempted-user; sid:43243; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"RavOLCtlLib.RavOnline"; fast_pattern:only; content:"Scan"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,38282; classtype:attempted-user; sid:43242; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; fast_pattern:only; content:"Scan"; nocase; metadata:service smtp; reference:bugtraq,38282; classtype:attempted-user; sid:43241; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; fast_pattern:only; content:"Scan"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,38282; classtype:attempted-user; sid:43240; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"5CE92A27-9F6A-11D2-9D3D-000001155641"; fast_pattern:only; metadata:service smtp; reference:cve,2014-2364; classtype:attempted-user; sid:43186; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"5CE92A27-9F6A-11D2-9D3D-000001155641"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2364; classtype:attempted-user; sid:43185; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"8B156C63-F843-11D2-A974-525400DADF34"; fast_pattern:only; content:"SaveConfigFile"; nocase; metadata:service smtp; reference:url,www.iconics.com/Home/Products/Web-Solutions/WebHMI.aspx; classtype:attempted-user; sid:43047; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"8B156C63-F843-11D2-A974-525400DADF34"; fast_pattern:only; content:"SaveConfigFile"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.iconics.com/Home/Products/Web-Solutions/WebHMI.aspx; classtype:attempted-user; sid:43046; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FTPSFTPLib.SFtpSession"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43035; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FTPSFTPLib.SFtpSession"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43034; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ACBBEC6D-7FD4-44E3-B1A4-B442D40F5818"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43033; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ACBBEC6D-7FD4-44E3-B1A4-B442D40F5818"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43032; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ProfileEditor.MFSNAControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43031; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ProfileEditor.MFSNAControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43030; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"5A01664E-6CF1-11D2-A0C2-0060B0A25144"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43029; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"5A01664E-6CF1-11D2-A0C2-0060B0A25144"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43028; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"NMSECCOMPARAMSLib"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43027; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"NMSECCOMPARAMSLib"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43026; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"30A01218-C999-4C40-91AE-D8AE4C884A9B"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43025; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"30A01218-C999-4C40-91AE-D8AE4C884A9B"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43024; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"FTXBIFFLib.AS400FtxBIFF"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43023; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"FTXBIFFLib.AS400FtxBIFF"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43022; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"2E67341B-A697-11D4-A084-0060B0C3E4EC"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43021; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2E67341B-A697-11D4-A084-0060B0C3E4EC"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43020; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ProfileEditor.PrintPasteControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43019; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ProfileEditor.PrintPasteControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43018; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"09A1C362-676A-11D2-A0BE-0060B0A25144"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43017; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"09A1C362-676A-11D2-A0BE-0060B0A25144"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43016; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ObjectXSNAConfig.ObjectXSNAConfig"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43015; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ObjectXSNAConfig.ObjectXSNAConfig"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43014; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"E1E0A940-BE28-11CF-B4A0-0004AC32AD97"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43013; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"E1E0A940-BE28-11CF-B4A0-0004AC32AD97"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43012; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ObjectXMacro.ObjectXMacro"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43011; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ObjectXMacro.ObjectXMacro"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43010; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"56359FC0-E847-11CE-BE79-02608C8F68F1"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1606; classtype:attempted-user; sid:43009; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"56359FC0-E847-11CE-BE79-02608C8F68F1"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1606; classtype:attempted-user; sid:43008; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Shockwave ActiveX Control clsid access"; flow:to_server,established; file_data; content:"233C1507-6A77-46A4-9443-F871F945D258"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22067; reference:bugtraq,22842; reference:cve,2006-6885; reference:cve,2007-1403; classtype:attempted-user; sid:43951; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMIScriptUtils.WMIObjectBroker2.1 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"7"; content:"F5B7F63"; within:12; content:"-F06F-"; within:11; content:"4331-8A26-"; within:15; content:"339E03C0"; within:13; content:"AE3D"; within:9; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:44036; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer WMIScriptUtils.WMIObjectBroker2.1 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"WMIScriptUtils.WMIObjectBroker2.1"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:44035; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt"; flow:to_server,established; file_data; content:"CAPICOM.Utilities.1"; fast_pattern:only; content:"getRandom"; nocase; metadata:service smtp; reference:url,support.ixiacom.com/strikes/denial/browser/ie_capicom_getrandom_integer_overflow.xml; classtype:attempted-user; sid:44091; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt"; flow:to_client,established; file_data; content:"CAPICOM.Utilities.1"; fast_pattern:only; content:"getRandom"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/browser/ie_capicom_getrandom_integer_overflow.xml; classtype:attempted-user; sid:44090; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt"; flow:to_server,established; file_data; content:"22A85CE1-F011-4231-B9E4-7E7A0438F71B"; fast_pattern:only; content:"getRandom"; nocase; metadata:service smtp; reference:url,support.ixiacom.com/strikes/denial/browser/ie_capicom_getrandom_integer_overflow.xml; classtype:attempted-user; sid:44089; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt"; flow:to_client,established; file_data; content:"22A85CE1-F011-4231-B9E4-7E7A0438F71B"; fast_pattern:only; content:"getRandom"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/browser/ie_capicom_getrandom_integer_overflow.xml; classtype:attempted-user; sid:44088; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access"; flow:to_server,established; file_data; content:"TeeChart.ChartGridNavigator"; fast_pattern:only; content:"GridLink"; nocase; pcre:"/(new\s*ActiveX|Create)Object\s*\(\s*[\x22\x27]TeeChart\.ChartGridNavigator/i"; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset limited, service smtp; classtype:attempted-user; sid:35875; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access"; flow:to_client,established; file_data; content:"TeeChart.ChartGridNavigator"; fast_pattern:only; content:"GridLink"; nocase; pcre:"/(new\s*ActiveX|Create)Object\s*\(\s*[\x22\x27]TeeChart\.ChartGridNavigator/i"; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset limited, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35874; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access"; flow:to_server,established; file_data; content:"A92B03A8-D509-4D2F-A953-B26ED8498AB0"; fast_pattern:only; content:"GridLink"; nocase; pcre:"/]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*{?\s*A92B03A8-D509-4D2F-A953-B26ED8498AB0/i"; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset limited, service smtp; classtype:attempted-user; sid:35873; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access"; flow:to_client,established; file_data; content:"A92B03A8-D509-4D2F-A953-B26ED8498AB0"; fast_pattern:only; content:"GridLink"; nocase; pcre:"/]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*{?\s*A92B03A8-D509-4D2F-A953-B26ED8498AB0/i"; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset limited, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35872; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt"; flow:to_client,established; file_data; content:"Shell.Application"; fast_pattern:only; content:"ShellExecute"; nocase; metadata:policy max-detect-ips drop, service http; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/gg537745%28v=vs.85%29.aspx; classtype:attempted-user; sid:44664; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ICOLAUNCHLib.LaunchCtl"; fast_pattern:only; metadata:service smtp; reference:cve,2013-2817; classtype:attempted-user; sid:44733; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ICOLAUNCHLib.LaunchCtl"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2817; classtype:attempted-user; sid:44732; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCVIEWER.UCCViewerCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45301; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCVIEWER.UCCViewerCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45300; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3B7B3C36-8515-4E15-BC46-D1BEBA2F360C"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45299; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3B7B3C36-8515-4E15-BC46-D1BEBA2F360C"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45298; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCUML.UCCUMLCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportBitmapData|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45297; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCUML.UCCUMLCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportBitmapData|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45296; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"C1F0EE85-363F-483D-97D0-87E2A537BFBA"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportBitmapData|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45295; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"C1F0EE85-363F-483D-97D0-87E2A537BFBA"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportBitmapData|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45294; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCSIMPLE.UCCSIMPLECtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45293; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCSIMPLE.UCCSIMPLECtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45292; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45291; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45290; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCPRINT.UCCPrintCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45289; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCPRINT.UCCPrintCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45288; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A4FCBD44-6BF5-405C-9598-C8E8ADCE4488"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45287; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A4FCBD44-6BF5-405C-9598-C8E8ADCE4488"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45286; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCHMI.UCCHMICtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45285; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCHMI.UCCHMICtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45284; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45283; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45282; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCDRAW.UCCDrawCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportToBitmapFile|SaveDocument|SaveMemory2|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45281; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCDRAW.UCCDrawCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportToBitmapFile|SaveDocument|SaveMemory2|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45280; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportToBitmapFile|SaveDocument|SaveMemory2|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45279; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|ExportToBitmapFile|SaveDocument|SaveMemory2|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45278; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"B6A3BF2C-F770-4182-BE7F-103BF2C76826"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45277; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"TKDRAWCAD.TKDrawCADCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45276; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"9022B790-B810-45B4-80BC-2D94EEC5343C"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45275; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"B6A3BF2C-F770-4182-BE7F-103BF2C76826"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45274; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"UCCDIAGRAM.UCCDiagramCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45273; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"UCCDIAGRAM.UCCDiagramCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45272; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"9022B790-B810-45B4-80BC-2D94EEC5343C"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45271; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS UCanCode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"TKDRAWCAD.TKDrawCADCtrl.1"; fast_pattern:only; pcre:"/(ExportAsBitmapFile|ExportAsEMFFile|SaveMemory2|SaveTemplateToFile|SaveToXdgFile|Write)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.ucancode.net/Products/Form2/uccdraw.htm; classtype:attempted-user; sid:45270; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"0BB7DB53-9021-11D3-8F25-00A0245B34C6"; fast_pattern:only; content:"HostAddress"; nocase; metadata:service smtp; reference:cve,2014-1847; classtype:attempted-user; sid:46352; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"0BB7DB53-9021-11D3-8F25-00A0245B34C6"; fast_pattern:only; content:"HostAddress"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1847; classtype:attempted-user; sid:46351; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2008-1309; classtype:attempted-user; sid:46405; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1309; classtype:attempted-user; sid:46404; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt"; flow:to_client,established; content:"Content-type|3A 20|text/html|3B|/json"; fast_pattern:only; http_header; metadata:service http; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:attempted-user; sid:47895; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"Microsoft.Jet.OLEDB.4.0"; fast_pattern:only; content:"ActiveXObject("; nocase; content:"ADODB.Connection"; within:100; nocase; metadata:service smtp; reference:cve,2018-8423; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8423; classtype:attempted-user; sid:47888; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.Jet.OLEDB.4.0"; fast_pattern:only; content:"ActiveXObject("; nocase; content:"ADODB.Connection"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8423; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8423; classtype:attempted-user; sid:47887; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"TSWbPrxy.exe"; fast_pattern:only; content:"PSHCMD"; nocase; content:"powershell.exe"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0016; reference:url,attack.mitre.org/techniques/T1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-004; classtype:attempted-admin; sid:47462; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"TSWbPrxy.exe"; fast_pattern:only; content:"PSHCMD"; nocase; content:"powershell.exe"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0016; reference:url,attack.mitre.org/techniques/T1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-004; classtype:attempted-admin; sid:47461; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_server,established; file_data; content:"|91 36 EF 47 00 9C 2E 40 48 BD 40 BC 5F 42 B7 F1 EB 83 09 65 13 BF FD C3 BA 5D DA 3E B0 41 61 C5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:47172; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt"; flow:to_client,established; file_data; content:"|91 36 EF 47 00 9C 2E 40 48 BD 40 BC 5F 42 B7 F1 EB 83 09 65 13 BF FD C3 BA 5D DA 3E B0 41 61 C5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-006; classtype:attempted-user; sid:47171; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Fourier Systems DaqLab ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"17301DA3-C84D-11CF-AE6F-0020AF31CEF9"; fast_pattern:only; content:"ExportStyle"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48442; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Fourier Systems DaqLab ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"17301DA3-C84D-11CF-AE6F-0020AF31CEF9"; fast_pattern:only; content:"ExportStyle"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48441; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Accelrys BIOVIA DSVisualizerControlR22.SaveToFile ActiveX access attempt"; flow:to_server,established; file_data; content:"DSVisualizerControlR22"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,accelrys.com; classtype:attempted-user; sid:48490; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Accelrys BIOVIA DSVisualizerControlR22.SaveToFile ActiveX access attempt"; flow:to_client,established; file_data; content:"DSVisualizerControlR22"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,accelrys.com; classtype:attempted-user; sid:48489; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Accelrys BIOVIA DSVisualizerControlR22.SaveToFile ActiveX access attempt"; flow:to_server,established; file_data; content:"AAC68FC9-90E7-4855-8A20-90BD3AC61F8E"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,accelrys.com; classtype:attempted-user; sid:48488; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Accelrys BIOVIA DSVisualizerControlR22.SaveToFile ActiveX access attempt"; flow:to_client,established; file_data; content:"AAC68FC9-90E7-4855-8A20-90BD3AC61F8E"; fast_pattern:only; content:"SaveToFile"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,accelrys.com; classtype:attempted-user; sid:48487; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"A56D71FB-4D4D-4B93-A01B-FB7635DA896D"; fast_pattern:only; content:"SetPOSSource"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48544; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"6C02555A-BC8D-4716-AA42-3920FA6A4ECB"; fast_pattern:only; content:"SDFileDelete"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48543; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"317AC6BB-6E8E-11D4-9BF0-005004BBFC86"; fast_pattern:only; content:"connect"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48542; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"5CE92A27-9F6A-11D2-9D3D-000001155641"; fast_pattern:only; content:"AlarmImage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48541; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"A56D71FB-4D4D-4B93-A01B-FB7635DA896D"; fast_pattern:only; content:"SetPOSSource"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48540; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"6C02555A-BC8D-4716-AA42-3920FA6A4ECB"; fast_pattern:only; content:"SDFileDelete"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48539; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"317AC6BB-6E8E-11D4-9BF0-005004BBFC86"; fast_pattern:only; content:"connect"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48538; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"5CE92A27-9F6A-11D2-9D3D-000001155641"; fast_pattern:only; content:"AlarmImage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48537; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"31150A86-0BBA-409F-BEB4-F3922D10BF34"; fast_pattern:only; content:"GetConfigValue"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48536; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"31150A86-0BBA-409F-BEB4-F3922D10BF34"; fast_pattern:only; content:"GetConfigValue"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48535; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access"; flow:to_server,established; file_data; content:"F9864037-A609-4AE2-9022-BDC0198BDECF"; fast_pattern:only; content:"SetXml"; content:"Save"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46539; reference:cve,2011-1036; classtype:attempted-user; sid:48903; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access"; flow:to_server,established; file_data; content:"XMLSecDB.DIParser"; fast_pattern:only; content:"SetXml"; content:"Save"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46539; reference:cve,2011-1036; classtype:attempted-user; sid:48902; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access"; flow:to_client,established; file_data; content:"F9864037-A609-4AE2-9022-BDC0198BDECF"; fast_pattern:only; content:"SetXml"; content:"Save"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46539; reference:cve,2011-1036; classtype:attempted-user; sid:48901; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus Domino Quickr ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"QuickPlace.QuickPlace"; fast_pattern:only; content:"t_Names"; nocase; pcre:"/(Attachmen|Impor)t_Names/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3026; classtype:attempted-user; sid:49097; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Quickr ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"QuickPlace.QuickPlace"; fast_pattern:only; content:"t_Names"; nocase; pcre:"/(Attachmen|Impor)t_Names/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3026; classtype:attempted-user; sid:49096; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS IBM Lotus Domino Quickr ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"05D96F71-87C6-11D3-9BE4-00902742D6E0"; fast_pattern:only; content:"t_Names"; nocase; pcre:"/(Attachmen|Impor)t_Names/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3026; classtype:attempted-user; sid:49095; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS IBM Lotus Domino Quickr ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"05D96F71-87C6-11D3-9BE4-00902742D6E0"; fast_pattern:only; content:"t_Names"; nocase; pcre:"/(Attachmen|Impor)t_Names/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3026; classtype:attempted-user; sid:49094; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ISSymbol"; fast_pattern:only; content:"OpenScreen"; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:49447; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ISSymbol"; fast_pattern:only; content:"OpenScreen"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49446; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"3C9DFF6F-5CB0-422E-9978-D6405D10718F"; fast_pattern:only; content:"OpenScreen"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49445; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"3C9DFF6C-5CB0-422E-9978-D6405D10718F"; fast_pattern:only; content:"OpenScreen"; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:49444; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"ocxIPcam"; fast_pattern:only; content:"SDManage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49639; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"ocxIPcam"; fast_pattern:only; content:"SDManage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49638; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"98703E7E-E705-4043-8FCE-E828D9C1EEAD"; fast_pattern:only; content:"SDManage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49637; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"98703E7E-E705-4043-8FCE-E828D9C1EEAD"; fast_pattern:only; content:"SDManage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49636; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt"; flow:to_client,established; content:"LaunchTriPane(unescape("; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:49759; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt"; flow:to_client,established; content:"String.fromCharCode(45, 100, 101, 99, 111, 109, 112, 105, 108, 101, 32, 99, 37, 50, 53, 51, 65, 37, 50, 53, 50, 70, 32, 99, 37, 50, 53, 51, 65, 37, 50, 53, 50, 70, 87, 73, 78, 68, 79, 87, 83, 37, 50, 53, 50, 70, 72, 101, 108, 112, 37, 50, 53, 50, 70, 110, 111, 116, 101, 112, 97, 100, 46, 99, 104, 109)))"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2012-2516; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863; classtype:attempted-user; sid:49758; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt"; flow:established,to_client; file_data; content:"=new ActiveXObject("; content:".SetHtmlFileName("; pcre:"/^