# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------ # FILE-IMAGE RULES #------------------ # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_server,established; flowbits:isset,file.fpx; file_data; content:"|03 01 22 00 02 11 01 03 62 01 FF DA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1744; classtype:attempted-user; sid:26978; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows WMF denial of service attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|FC 02|"; pcre:"/\xFC\x02[\x08\x06]\x00.{4}(?!\x00\x00)/s"; metadata:service smtp; reference:bugtraq,21992; reference:cve,2006-4071; classtype:web-application-attack; sid:26909; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"zTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26866; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; fast_pattern; content:"tEXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:26865; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26864; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tIME"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26863; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sPLT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26862; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"pHYs"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26861; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"hIST"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26859; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"bKGD"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26858; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sRGB"; distance:0; content:!"iCCP"; within:4; distance:-8; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26857; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sBIT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26856; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; fast_pattern; byte_test:2,>,0x7fff,2,relative; content:"|00 07 00 01 00|"; within:5; distance:4; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26701; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; fast_pattern; byte_test:2,>,0x7fff,2,relative; content:"|00 07 00 01 00|"; within:5; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26700; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; byte_test:2,>,0x7fff,2,relative; content:!"|00 07|"; distance:0; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26699; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE BMP extremely large xpos opcodes"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00|"; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00|"; within:12; distance:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26665; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 09|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26373; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 0C|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26372; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:79; distance:12; content:"|00|"; within:1; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25066; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x7ffffff,-8,relative; content:"|00|"; within:79; distance:12; content:"|00|"; within:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25065; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT file opcode corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF|"; isdataat:2,relative; content:!"|0C 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53584; reference:cve,2012-0671; reference:url,community.qualys.com/docs/DOC-3511; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24695; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"PICT"; depth:4; isdataat:594,relative; content:"|00 07|"; within:2; distance:594; byte_test:2,>,0x7fff,2,relative; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24553; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; byte_test:2,>,0x7fff,2,relative; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24552; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; byte_test:2,>,0x7fff,2,relative; content:!"|00 07|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24551; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XPM file format overflow attempt"; flow:to_server,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:24189; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23590; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23589; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23561; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows graphics rendering engine buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|20|EMF"; depth:4; offset:40; byte_test:4,<,0x58,4,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11375; reference:cve,2004-0209; classtype:attempted-user; sid:23110; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_server,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; content:"|00 9A 00 00 00 FF 80|"; distance:0; content:!"|00|"; within:1; distance:10; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:21766; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|58 00 69 00 62 00 6E 00 61 00 57 00 6D 00 5A 00 31 00 63 00 38 00 42 00 4B 00 37 00 4D 00 71 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-029; classtype:attempted-user; sid:21439; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:21160; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime PictureViewer GIF rendering vulnerability"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; depth:3; content:"|01 00 00 00 21 F9 04 00 00 00 00 00 2C 00 00 00 00 00 01 00 01 00 FF FF|"; within:24; distance:6; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-1106; classtype:attempted-user; sid:20059; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe jpeg 2000 image exploit attempt"; flow:to_client,established; file_data; content:"|FF 52 40 C3 AF 47 81 32 CF 93 99 8C FF 47 1E 0D D9 88 28|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2098; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19247; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|60 00 00 00 02 10 C0 DB 09 00 00 00 00 00 00 00 00 00 80 3F 00 00 80 3F 00 00 FA 44 02 00 00 4D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-029; classtype:attempted-user; sid:18645; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|EB 06 44 00|"; distance:0; content:"|42 42 42 42|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft FlashPix tile length overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF 5F 00 00 02 00 00 00 00 11 01 FE 56 0B 00 00 3C 0A 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3952; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18229; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe BMP image handler buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; content:"Content-Type: text/plain|0D 0A 0D 0A|BM"; fast_pattern:only; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28874; reference:cve,2008-1765; classtype:attempted-user; sid:17678; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; file_data; content:"|52 4B 55 F6 EF DF 63 70 A3 6C 5C 5B 48 71 BB 7A 70 77 3B 44 69 5B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:17628; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE OpenOffice EMF file EMR record parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|54 00 00 00|"; byte_test:4,>=,0x80000000,40,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2238; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.openoffice.org/security/cves/CVE-2008-2238.html; classtype:attempted-user; sid:17388; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe tiff oversized image length attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|14 01 00 00 01 01 04 00 01 00 00 00 01 01 01 01 02 01 03 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16321; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:4,>,59000,0,relative,big; byte_test:4,>,32000,4,relative,big; byte_test:1,>,7,8,relative; content:"|06|"; within:1; distance:9; content:"|01|"; within:1; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3126; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16186; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"WMFC|01 00 00 00|"; byte_test:4,>,1000000,14,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16153; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows 2000 Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12634; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows WMF denial of service attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|FC 02|"; pcre:"/\xFC\x02[\x08\x06]\x00.{4}(?!\x00\x00)/s"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21992; reference:cve,2006-4071; classtype:web-application-attack; sid:10115; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Java Virtual Machine malformed GIF buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; byte_test:1,!&,128,7,relative; content:","; within:1; distance:10; content:"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:10062; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"zTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6701; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6699; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tIME"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6698; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sPLT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6697; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"pHYs"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6696; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"hIST"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6694; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"bKGD"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6693; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sBIT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6691; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iCCP"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6690; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Mozilla GIF single packet heap overflow - ANIMEXTS1.0"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6502; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player zero length bitmap heap overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM|00 00 00 00|"; depth:6; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-005; reference:url,www.eeye.com/html/research/advisories/AD20060214.html; classtype:attempted-admin; sid:5711; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft PNG large colour depth download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3134; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products PNG large image height download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3133; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:2707; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_client,established; content:"Content-Type"; nocase; http_header; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2; fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR"; metadata:ruleset community, service http; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:2705; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:12;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:387; byte_test:2,>,gif_height,0,relative,little; content:!"|96 00|"; within:2; distance:6; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27530; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:387; byte_test:2,>,gif_height,4,relative,little; content:!"|96 00|"; within:2; distance:6; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27529; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical width overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,6,gif_width,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:389; byte_test:2,>,gif_width,2,relative,little; content:!"|96 00|"; within:2; distance:4; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27528; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_height,2,relative,little; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27527; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_height,6,relative,little; content:!"|96 00|"; within:2; distance:6; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27526; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical width overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,6,gif_width,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_width,4,relative,little; content:!"|96 00|"; within:2; distance:4; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27525; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:27569; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT file overread buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00 FF|"; byte_jump:2,-17,relative,post_offset -4,big; isdataat:1,relative; content:!"|00 FF|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28583; reference:cve,2008-1019; classtype:attempted-user; sid:29434; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|80 38 9B CD 97 FB A5 C8 B8 00 0C 06 6E 00 00 10 0C 03 00 00 1F EF F8 8C 56 2D 17 8A BF DF D1 10|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:29433; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"tRNS"; distance:0; fast_pattern; byte_test:4,>,256,-8,relative; metadata:service smtp; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:cve,2012-4170; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:29620; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00 00|"; depth:12; byte_test:2,>,0x2AAA,0,relative,little; metadata:policy security-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25378; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00 00|"; depth:12; byte_test:2,>,0x2AAA,0,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25376; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP heap buffer overflow vulnerability attempt"; flow:to_server,established; flowbits:isset,file.psd; file_data; content:"8BPS|00 01 00 00 00 00 00 00|"; depth:12; byte_test:2,>,56,0,relative; metadata:service smtp; reference:cve,2012-3402; classtype:attempted-user; sid:30213; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP heap buffer overflow vulnerability attempt"; flow:to_client,established; flowbits:isset,file.psd; file_data; content:"8BPS|00 01 00 00 00 00 00 00|"; depth:12; byte_test:2,>,56,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-3402; classtype:attempted-user; sid:30212; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|36 32 36 36 32 3C 36 32 3C 32 15 32 33 34 44 43 42 41 AA AA AA AA 34 35 36 37 38 90 91 26 32 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31041; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|7F 7F 7F 7F 97 01 8F EE 8C 8F 83 7F 7D 73 71 6D 6D 67 66 61 65 60 5E 59 57 56 01 55 E6 57 5C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31040; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|36 32 36 36 32 3C 36 32 3C 32 15 32 33 34 44 43 42 41 AA AA AA AA 34 35 36 37 38 90 91 26 32 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31039; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|7F 7F 7F 7F 97 01 8F EE 8C 8F 83 7F 7D 73 71 6D 6D 67 66 61 65 60 5E 59 57 56 01 55 E6 57 5C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31038; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:48,relative; content:!"|00 FF 00 00|"; within:4; distance:48; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31576; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:52,relative; content:!"|00 00 FF 00|"; within:4; distance:52; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31575; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:56,relative; content:!"|00 00 00 FF|"; within:4; distance:56; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31574; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:48,relative; content:!"|00 FF 00 00|"; within:4; distance:48; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31573; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:52,relative; content:!"|00 00 FF 00|"; within:4; distance:52; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31572; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:56,relative; content:!"|00 00 00 FF|"; within:4; distance:56; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31571; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|6D 36 54 55 6C 6A 43 41 43 7A 56 2F 77 79 35 34|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32833; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|72 ED A6 A4 B6 87 E8 BE ED 5A 64 F4 51 DD 37 F3 31 40 00 B4 B7 3A 61 16 DD 75 A0 40 0F 03 82 16|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32832; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|CE 28 C5 56 76 58 A4 26 88 A0 A2 AA 57 D1 FA 7A 23 93 93 A7 A2 D6 0A 18 F9 D5 43 CD 9A 32 88 75|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32831; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|6D 36 54 55 6C 6A 43 41 43 7A 56 2F 77 79 35 34|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32830; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|72 ED A6 A4 B6 87 E8 BE ED 5A 64 F4 51 DD 37 F3 31 40 00 B4 B7 3A 61 16 DD 75 A0 40 0F 03 82 16|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32829; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|CE 28 C5 56 76 58 A4 26 88 A0 A2 AA 57 D1 FA 7A 23 93 93 A7 A2 D6 0A 18 F9 D5 43 CD 9A 32 88 75|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32828; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; content:"|02 01 03 00 04 00 00 00|"; depth:100; content:"|06 01 04 00 01 00 00 00 05 00 00 00 0D 01 02 00|"; within:16; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33518; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; content:"|02 01 03 00 04 00 00 00|"; depth:100; content:"|06 01 04 00 01 00 00 00 05 00 00 00 0D 01 02 00|"; within:16; distance:4; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33517; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 2A|"; depth:4; content:"|01 02 00 03 00 00 00 04 00 00 00|"; depth:100; content:"|01 06 00 04 00 00 00 01 00 00 00 05 01 0D 00 02 00 00 00|"; within:19; distance:1; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33516; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 2A|"; depth:4; content:"|01 02 00 03 00 00 00 04 00 00 00|"; depth:100; content:"|01 06 00 04 00 00 00 01 00 00 00 05 01 0D 00 02 00 00 00|"; within:19; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33515; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|03 01 03 00 01 00 00 00 74 87|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2027; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33591; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 03 00 03 00 00 00 01 87 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2027; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33590; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 03 00 03 00 00 00 01 87 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2027; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33589; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|08 0A 00 00 00 2C|"; content:"|00 66 00|"; within:3; distance:1; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:2; metadata:service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:33615; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; within:4; distance:4; content:"|00|"; within:1; distance:9; content:"|00 00 00 01|tRNS"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-024; classtype:misc-attack; sid:33761; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; within:4; distance:4; content:"|00|"; within:1; distance:9; content:"|00 00 00 01|tRNS"; within:500; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-024; classtype:misc-attack; sid:33760; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft emf file download request"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:33740; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:34135; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Flash Player element array stack overflow attempt"; flow:to_server,established; file_data; content:"|A3 9F 58 B1 37 36 62 A8 E4 74 1B 82 A4 13 60 D8 84 4C F6 40 74 8D 06 A4 12 F2 39 43 19 70 DF 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0350; classtype:attempted-user; sid:34134; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Flash Player element array stack overflow attempt"; flow:to_client,established; file_data; content:"|A3 9F 58 B1 37 36 62 A8 E4 74 1B 82 A4 13 60 D8 84 4C F6 40 74 8D 06 A4 12 F2 39 43 19 70 DF 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0350; classtype:attempted-user; sid:34133; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_client,established; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:34294; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:34293; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_server,established; flowbits:isset,file.fpx; file_data; content:"|FF D8 FF C0 00 11 08 00 40 00 40 03 01 22 00 02 11 01 03 FF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1744; classtype:attempted-user; sid:26979; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF D8 FF C0 00 11 08 00 40 00 40 03 01 22 00 02 11 01 03 FF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1744; classtype:attempted-user; sid:26977; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|03 01 22 00 02 11 01 03 62 01 FF DA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1744; classtype:attempted-user; sid:26976; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tRNS"; distance:0; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26860; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iCCP"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26855; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"cHRM"; distance:0; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26854; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE BMP extremely large xpos opcodes"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00|"; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00|"; within:12; distance:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26664; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 09|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26374; rev:9;) # alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0247; classtype:attempted-user; sid:25348; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition|3A|"; http_client_body; content:".jpg"; distance:0; http_client_body; pcre:"/Content-Disposition\x3a[^\r\n]*?filename\s*=\s*[\x22\x27][^\x22\x27]*?\.(jpe?g|tiff?)[\x22\x27]/iP"; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0247; classtype:attempted-user; sid:25347; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0247; classtype:attempted-user; sid:25346; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24718; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24717; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24716; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24715; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24714; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24713; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24712; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24711; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT file opcode corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; isdataat:2,relative; content:!"|0C 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53584; reference:cve,2012-0671; reference:url,community.qualys.com/docs/DOC-3511; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24694; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22109; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22108; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22107; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22106; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:79; distance:12; content:"|01|"; within:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22105; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22104; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|03 01 03 00 01 00 00 00 74 87|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2027; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:21948; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|FF 00 9B 09 1C 28 D0 CA 1A 02 02 49 28 20 C8 70 C0 40 32 11 46 34|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:20637; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|04 7F FF 00 00 08 0D 00 01 00 B0 63 67 20 C1 83 08 ED 04 04 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:20636; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Public LibTiff Exploit"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|63 89 E7 68 2F 73 68 00 68 2F 62 69 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; classtype:attempted-user; sid:20295; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader and Acrobat Libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 01 03 00 01 00 00 00 08 00 00 00 01 01 03 00 01 00 00 00 08 00 00 00 03 01 03 00 01 00 00 00 AA 00 00 00 06 01 03 00 01 00 00 00 BB 00 00 00 11 01 04 00 01 00 00 00 08 00 00 00 17 01 04 00 01 00 00 00 15 00 00 00 1C 01 03 00 01 00 00 00 01 00 00 00 50 01 03 00|"; fast_pattern:only; content:"|84 00 00 00 00 00 00 00|"; isdataat:196; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; classtype:attempted-user; sid:20294; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt"; flow:to_server,established; file_data; content:"|FF C0 00 11 08 FF 37 55 99 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:19130; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|"; within:4; distance:269; content:"|42 42 42 42|"; within:4; distance:37; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:18583; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT file overread buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; stream_size:server,<,16000; content:"|00 11 02 FF 0C 00 FF|"; byte_jump:2,-17,relative,post_offset -4,big; isdataat:1,relative; content:!"|00 FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28583; reference:cve,2008-1019; classtype:attempted-user; sid:18561; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime FlashPix Movie file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Flashpix graphics filter fpx32.flt remote code execution attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FE FF 00 00|"; content:"|00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00 00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B|"; within:36; distance:4; byte_jump:4,0,relative,little; byte_test:4,>,0,-44,relative; content:"|00 00 00 00|"; within:4; distance:-40; byte_jump:4,0,relative,little; byte_test:4,>,0x100,-8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3951; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18237; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime FlashPix processing overflow attempt"; flow:to_client, established; flowbits:isset,file.fpx; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|FE FF 09 00|"; within:4; distance:20; content:"|00 00 80 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36328; reference:cve,2009-2798; classtype:attempted-user; sid:17740; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"FILE-IMAGE CUPS Gif Decoding Routine Buffer Overflow attempt"; flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|"; within:1024; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28544; reference:cve,2008-1373; classtype:attempted-user; sid:17558; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 0C|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GRE WMF Handling Memory Read Exception attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00 00 03|"; content:"|04 00 00 00|"; distance:0; pcre:"/^(\x01|\x02)\x00\x09\x00{2}\x03/m"; pcre:"/\x04\x00{3}(\x26|\xff)/Rm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16167; reference:cve,2006-0143; classtype:attempted-user; sid:17330; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:17232; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:17231; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"AnglUntF|23|Ang"; byte_test:4,>,1020,8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17147; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 GRD file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|00|G|00|r|00|a|00|d|00|i|00|e|00|n|00|t"; nocase; byte_test:4,>,1020,13,relative,big; content:"8BGR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17146; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ASL file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Stylenum"; nocase; byte_test:4,>,1020,8,relative,big; content:"8BSL"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17145; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 2"; flow:to_client,established; file_data; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BBR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17144; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 1"; flow:to_client,established; file_data; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BIM"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17143; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE multiple products PNG processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; pcre:"/\x89PNG\x0D\x0A\x1A\x0A\x00\x00\x00\x0DIHDR([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1097; reference:cve,2017-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:16716; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF C0 00 11 08 FF 00 55 AC 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:16422; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime bitmap multiple header overflow"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,65535,4,relative,little; byte_test:4,>,3,12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17953; reference:cve,2006-2238; classtype:attempted-user; sid:16054; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_client,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; content:"|00 9A 00 00 00 FF 80|"; distance:0; content:!"|00|"; within:1; distance:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:16001; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ACD Systems ACDSee XPM file format overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:15236; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|01 00 09 00|"; pcre:"/(\x40\x09.{19}|\x41\x0b.{23})[\xf0-\xff].{8}\x01\x00[\x00\x01\x02\x04\x08\x10\x18\x20]\x00/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:15105; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE BMP image handler buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; content:"image/bmp"; fast_pattern:only; http_header; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28874; reference:cve,2008-1765; reference:cve,2008-3020; classtype:attempted-user; sid:13865; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00|"; content:"|FF FF FF|"; distance:12; content:"|00|"; within:1; distance:2; pcre:"/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:13807; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime uncompressed PICT stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop PNG file handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23698; reference:cve,2007-2365; classtype:attempted-user; sid:11267; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF C4 02 11 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12905; reference:cve,2005-0903; classtype:attempted-user; sid:10126; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"tRNS"; distance:0; fast_pattern; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6695; rev:24;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"sRGB"; distance:0; fast_pattern; content:!"iCCP"; within:4; distance:-8; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6692; rev:24;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"cHRM"; distance:0; fast_pattern; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6689; rev:23;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime fpx file SectNumMiniFAT overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17074; reference:cve,2006-1249; classtype:attempted-user; sid:6505; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player invalid data offset bitmap heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"BM"; depth:2; byte_test:4,<,14,8,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-005; reference:url,www.eeye.com/html/research/advisories/AD2006021.html; classtype:attempted-admin; sid:5712; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:4,>,83386080,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11171; reference:cve,2004-0904; reference:cve,2008-3015; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-admin; sid:3632; rev:25;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Mozilla GIF single packet heap overflow - NETSCAPE2.0"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3534; rev:26;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 "; flow:established,to_client; content:"|B8 B9 B8 B0 AD AF B1 A7 9F DC D1 7B 8C 96 9C FF A1 20 9D 9E 9F 99 B8 FF F2 A4 9F AB AC A6 9F 96|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16564; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 "; flow:established,to_client; content:"|CA 2C 24 FC BD B7 00 28 A8 38 88 DB 62 D4 23 A9 0B 50 D1 A0 C0 63 42 D0 34 E0 00 16 83 01 68 A9|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16563; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 "; flow:established,to_client; content:"|86 6B 82 58 34 09 86 67 95 72 5C 72 46 32 73 49 36 8A 57 3C D2 9D 7F E8 C5 D6 EB C4 B2 EA C3 AE|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16562; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 "; flow:established,to_client; content:"|39 3E 45 4A 4E 55 5A 5E 63 67 6C 70 72 76 7A 7C 80 83 87 89 8B 8C 90 92 94 96 98 9A 9A 9C 9E A0|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2010-1279; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16561; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe PNG empty sPLT exploit attempt "; flow:to_client,established; file_data; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"|00 00 00 00|sPLT"; offset:8; metadata:service http, service imap, service pop3; reference:cve,2009-2984; classtype:attempted-user; sid:16320; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MM|00|*"; depth:4; content:"|01 12 00 03|"; byte_test:4,>,8,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35363; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MM|00|*"; depth:4; content:"|01 12 00 03|"; byte_test:4,>,8,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35362; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_server,established; file_data; content:"II*|00|"; depth:4; content:"|12 01 03 00|"; byte_test:4,>,8,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35361; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; depth:4; content:"|12 01 03 00|"; byte_test:4,>,8,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35360; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt"; flow:to_server,established; file_data; content:"|F6 FF 00 2D 59 B2 01 42 60 1D 34 64 72 74 49 90 40 A0 43 87 F9 04 C2 98 31 A3 80 84 02 07 0A 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5096; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35752; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt"; flow:to_client,established; file_data; content:"|F6 FF 00 2D 59 B2 01 42 60 1D 34 64 72 74 49 90 40 A0 43 87 F9 04 C2 98 31 A3 80 84 02 07 0A 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5096; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35751; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; content:"|00 03 11 11|"; within:4; distance:60; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5105; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35799; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; content:"|00 03 11 11|"; within:4; distance:60; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5105; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35798; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:4,>,83386080,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,11171; reference:cve,2004-0904; reference:cve,2008-3015; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-admin; sid:35848; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|42 4D|"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3664; classtype:attempted-user; sid:36310; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|42 4D|"; depth:2; content:"|6C 00 00 00|"; within:4; distance:12; byte_test:4,<,6,0,relative,little; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|00 01|"; within:2; distance:90; byte_test:1,>,0x21,-4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3664; classtype:attempted-user; sid:36309; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"|42 4D|"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3664; classtype:attempted-user; sid:36308; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"|42 4D|"; depth:2; content:"|6C 00 00 00|"; within:4; distance:12; byte_test:4,<,6,0,relative,little; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|00 01|"; within:2; distance:90; byte_test:1,>,0x21,-4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3664; classtype:attempted-user; sid:36307; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_server,established; file_data; content:"|FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-005; classtype:attempted-user; sid:36818; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-005; classtype:attempted-user; sid:36817; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"WMFC|01 00 00 00|"; byte_test:4,>,1000000,14,relative,little; metadata:service smtp; reference:cve,2009-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:36856; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF C0 00 11 08 FF 37 55 99 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:36884; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|02 7C B3 03 84 CB 3B 72 65 E4 39 0B DA 46 1D D3 66 20 67 4C 8E 84 23 F5 15 6F 6E 43 F4 56 0E 62|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37342; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|02 7C B3 03 84 CB 3B 72 65 E4 39 0B DA 46 1D D3 66 20 67 4C 8E 84 23 F5 15 6F 6E 43 F4 56 0E 62|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37341; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|1F A1 54 D5 FD 6B 92 22 20 5A 72 55 C7 7B 52 5C 82 2F 8F 80 50 39 AB B5 78 88 EB 5C EA 18 B8 CB|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37340; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|1F A1 54 D5 FD 6B 92 22 20 5A 72 55 C7 7B 52 5C 82 2F 8F 80 50 39 AB B5 78 88 EB 5C EA 18 B8 CB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37339; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|0E EF BF F8 89 33 16 46 C1 1A 7D A6 0F 38 9E CB 98 38 28 34 B8 3C 73 7D B8 8A DD 05 F7 C4 1A 51|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37338; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|0E EF BF F8 89 33 16 46 C1 1A 7D A6 0F 38 9E CB 98 38 28 34 B8 3C 73 7D B8 8A DD 05 F7 C4 1A 51|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37337; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|2D 3D 77 CC 54 83 C4 82 6E 71 93 EA 5A 79 AF D9 43 5B CE 72 3E 49 79 FC C0 CF B6 07 DB 1D 4C 95|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37336; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|2D 3D 77 CC 54 83 C4 82 6E 71 93 EA 5A 79 AF D9 43 5B CE 72 3E 49 79 FC C0 CF B6 07 DB 1D 4C 95|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37335; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|23 B3 C5 E5 68 E1 2D 09 38 6F 07 5A 3C 08 6C 71 40 39 9E 18 EE 6D 3E 4D 5E 69 39 D1 03 FB B6 7B|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37334; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|23 B3 C5 E5 68 E1 2D 09 38 6F 07 5A 3C 08 6C 71 40 39 9E 18 EE 6D 3E 4D 5E 69 39 D1 03 FB B6 7B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37333; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00 84 17 00 00 80 10 60 64 18 19 04 E2 08 04 01 C0 00 C0 48 01 E8 F7 7C 00 00 20 80 08|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37332; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00 84 17 00 00 80 10 60 64 18 19 04 E2 08 04 01 C0 00 C0 48 01 E8 F7 7C 00 00 20 80 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37331; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|65 3D CC C4 E2 AD 07 42 3E EB 1A EE 87 77 B9 3E 95 72 FC E5 B9 19 9D D2 55 68 1E D8 3F C3 C4 0D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37330; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|80 38 9B CD 97 FB A5 C8 B8 00 0C 06 6E 00 00 10 0C 03 00 00 1F EF F8 8C 56 2D 17 8A BF DF D1 10|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37329; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|65 3D CC C4 E2 AD 07 42 3E EB 1A EE 87 77 B9 3E 95 72 FC E5 B9 19 9D D2 55 68 1E D8 3F C3 C4 0D|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37328; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_server,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|0B 02|"; within:2; distance:18; byte_test:4,>,0x7FFFC002,-6,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37879; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_server,established; file_data; content:"|01 00 09 00 00 03|"; depth:6; content:"|13 02 32 00 96 00 03|"; byte_test:4,>,0x7FFFC002,-11,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37878; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|0B 02|"; within:2; distance:18; byte_test:4,>,0x7FFFC002,-6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37877; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 09 00 00 03|"; depth:6; content:"|13 02 32 00 96 00 03|"; byte_test:4,>,0x7FFFC002,-11,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37876; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/fill\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38744; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:" $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"https:"; distance:0; nocase; pcre:"/fill\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38871; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/stroke\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38948; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"https:"; distance:0; nocase; pcre:"/stroke\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38947; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"|28|https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38946; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38945; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"stroke"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/stroke\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39006; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"stroke"; nocase; content:"https:"; distance:0; nocase; pcre:"/stroke\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39005; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"image"; nocase; content:"|28|https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39004; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"image"; nocase; content:"https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39003; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"fill"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/fill\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39002; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"fill"; nocase; content:"https:"; distance:0; nocase; pcre:"/fill\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39001; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:" $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"stroke "; nocase; content:"|7C|"; distance:0; pcre:"/stroke\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39097; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"image "; nocase; content:"|7C|"; distance:0; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39096; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"fill "; nocase; content:"|7C|"; distance:0; pcre:"/fill\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39095; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"stroke "; nocase; content:"|7C|"; distance:0; pcre:"/stroke\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39093; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"image "; nocase; content:"|7C|"; distance:0; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39092; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"fill "; nocase; content:"|7C|"; distance:0; pcre:"/fill\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39091; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39115; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39114; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39113; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39112; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39147; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39146; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39145; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39144; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39143; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39142; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39141; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39140; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39139; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39138; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39137; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39136; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:1,!&,0x80,7,relative; byte_test:4,>,0xFF00,4,relative,little; byte_extract:4,4,biHeight,relative,little; byte_test:4,<,biHeight,2,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4637; reference:url,support.apple.com/en-us/HT206903; reference:url,www.talosintelligence.com/reports/TALOS-2016-0186/; classtype:attempted-user; sid:39684; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:1,!&,0x80,7,relative; byte_test:4,>,0xFF00,4,relative,little; byte_extract:4,4,biHeight,relative,little; byte_test:4,<,biHeight,2,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4637; reference:url,support.apple.com/en-us/HT206903; reference:url,www.talosintelligence.com/reports/TALOS-2016-0186/; classtype:attempted-user; sid:39683; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; byte_jump:4,6,relative,big,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40248; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|86 92|"; byte_jump:4,6,relative,little,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40247; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; byte_jump:4,6,relative,big,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40246; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|86 92|"; byte_jump:4,6,relative,little,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40245; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; content:"|86 92|"; http_client_body; byte_extract:4,6,offset,relative,little; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40243; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 7C 00 04|"; byte_test:4,>,30000000,8,relative,big; metadata:service smtp; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40297; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|7C 92 04 00|"; byte_test:4,>,30000000,8,relative,little; metadata:service smtp; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40296; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|92 7C 00 04|"; byte_test:4,>,30000000,8,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40295; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|7C 92 04 00|"; byte_test:4,>,30000000,8,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40294; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt"; flow:to_server,established; file_data; isdataat:!14; content:"|FF D8 FF E0 00 10|"; depth:6; isdataat:1,relative; content:!"|4A 46|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7212; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-130; classtype:attempted-user; sid:40646; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt"; flow:to_client,established; file_data; isdataat:!14; content:"|FF D8 FF E0 00 10|"; depth:6; isdataat:1,relative; content:!"|4A 46|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7212; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-130; classtype:attempted-user; sid:40645; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|06 01 03 00 01 00 00 00 02 00|"; fast_pattern:only; content:"|1C 01 03 00 01 00 00 00 01 00|"; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,3,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8707; reference:url,www.talosintelligence.com/reports/TALOS-2016-0216; classtype:attempted-user; sid:40915; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|06 01 03 00 01 00 00 00 02 00|"; fast_pattern:only; content:"|1C 01 03 00 01 00 00 00 01 00|"; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,3,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8707; reference:url,www.talosintelligence.com/reports/TALOS-2016-0216; classtype:attempted-user; sid:40914; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt"; flow:to_server,established; file_data; content:"/OutputICCProfile"; nocase; content:"%pipe%"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:url,seclists.org/fulldisclosure/2016/Oct/77; classtype:attempted-user; sid:41121; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt"; flow:to_client,established; file_data; content:"/OutputICCProfile"; nocase; content:"%pipe%"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,seclists.org/fulldisclosure/2016/Oct/77; classtype:attempted-user; sid:41120; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 06 00 03|"; within:100; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41184; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|06 01 03 00|"; within:100; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41183; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 06 00 03|"; within:100; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41182; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|06 01 03 00|"; within:100; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41181; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED 00 00|"; within:23; distance:2; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41149; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; content:!"|00|"; within:1; byte_test:1,!&,1,0,relative; byte_jump:1,0,relative; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41148; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; byte_test:1,&,1,0,relative; byte_jump:1,0,relative,post_offset 1; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41147; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED 00 00|"; within:23; distance:2; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41146; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; content:!"|00|"; within:1; byte_test:1,!&,1,0,relative; byte_jump:1,0,relative; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41145; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; byte_test:1,&,1,0,relative; byte_jump:1,0,relative,post_offset 1; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41144; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg|file.xps; file_data; content:"|FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E2|"; distance:0; content:"ICC_PROFILE|00|"; within:12; distance:2; content:!"|00|"; within:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16383; reference:cve,2017-2959; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:41203; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg|file.xps; file_data; content:"|FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E2|"; distance:0; content:"ICC_PROFILE|00|"; within:12; distance:2; content:!"|00|"; within:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16383; reference:cve,2017-2959; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:41202; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|31 01 02 00|"; within:300; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41201; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|31 01 02 00|"; within:300; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41200; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 31 00 02|"; within:300; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41199; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 31 00 02|"; within:300; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41198; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|80 90 60 70 40 50 10 20 30 AF FD A0 00 80 10 10 00 00 00 1B FC 00 00 00 00 10 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41305; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|04 05 01 02 03 0A FF DA 00 08 01 01 00 00 00 01 BF C0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 1C 1F 63 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41304; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"4050102030affda0008010100000001bfc00000000800000"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41303; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"00801010000000001feAA|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41302; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|04 05 01 02 03 0A FF DA 00 08 01 01 00 00 00 01 BF C0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 1C 1F 63 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41301; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"809060704050102030affda0008010100000001bfc0000000010000000000000"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41300; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"4050102030affda0008010100000001bfc00000000800000"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41299; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"00801010000000001feAA|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41298; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|II"; within:8; distance:2; byte_jump:4,2,relative,little; content:"|69 87 04 00 01 00 00 00|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative,little; content:"|01 02|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41341; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|II"; within:8; distance:2; byte_jump:4,2,relative,little; content:"|69 87 04 00 01 00 00 00|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative,little; content:"|01 02|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41340; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|MM"; within:8; distance:2; byte_jump:4,2,relative; content:"|87 69 00 04 00 00 00 01|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative; content:"|02 01|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41339; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|MM"; within:8; distance:2; byte_jump:4,2,relative; content:"|87 69 00 04 00 00 00 01|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative; content:"|02 01|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41338; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41398; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41397; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41396; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41395; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41394; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41393; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41392; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41391; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt"; flow:to_server,established; file_data; content:"url|28|"; fast_pattern:only; pcre:"/(stroke|fill) +(\x22|\x27)url\x28(http|https|ftp)\x3A/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3717; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726; classtype:attempted-user; sid:41809; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt"; flow:to_client,established; file_data; content:"url|28|"; fast_pattern:only; pcre:"/(stroke|fill) +(\x22|\x27)url\x28(http|https|ftp)\x3A/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3717; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726; classtype:attempted-user; sid:41808; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt"; flow:to_server, established; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; within:4; distance:36; content:"|46|"; distance:0; content:!"|00 00 00|"; within:3; content:"EMF+"; within:4; distance:11; content:"|46 00 00 00|"; byte_test:4,>,7500,0,relative,little; content:"EMF+"; within:4; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-user; sid:41971; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt"; flow:to_client, established; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; within:4; distance:36; content:"|46|"; distance:0; content:!"|00 00 00|"; within:3; content:"EMF+"; within:4; distance:11; content:"|46 00 00 00|"; byte_test:4,>,7500,0,relative,little; content:"EMF+"; within:4; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-user; sid:41970; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GDI+ malformed EMF description out of bounds read attempt"; flow:to_server, established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; depth:44; fast_pattern; content:"|00 00|"; within:2; distance:14; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:service smtp; reference:cve,2017-0062; reference:cve,2018-12849; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41947; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI+ malformed EMF description out of bounds read attempt"; flow:to_client, established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; depth:44; fast_pattern; content:"|00 00|"; within:2; distance:14; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0062; reference:cve,2018-12849; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41946; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE libBPG restore_tqb_pixel out of bounds write attempt"; flow:to_server,established; file_data; content:"|42 50 47 FB 30 30 15 15 00 03 AD 47 30 03 30 30 30 44 09 C1 3B 3B 3B 3B 30 00 00 01 26 09 AE 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8710; reference:url,www.talosintelligence.com/reports/TALOS-2016-0223/; classtype:attempted-user; sid:41311; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libBPG restore_tqb_pixel out of bounds write attempt"; flow:to_client,established; file_data; content:"|42 50 47 FB 30 30 15 15 00 03 AD 47 30 03 30 30 30 44 09 C1 3B 3B 3B 3B 30 00 00 01 26 09 AE 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8710; reference:url,www.talosintelligence.com/reports/TALOS-2016-0223/; classtype:attempted-user; sid:41310; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|48 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40538; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|48 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40537; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|47 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40536; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|47 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40535; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|46 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40534; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|46 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40533; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF tiff2pdf JPEG compression tables heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|03 01 03 00 01 00 00 00 07 00 00 00|"; content:"|5B 01 02 00|"; within:500; distance:-250; byte_jump:4,4,relative,little,from_beginning; isdataat:2,relative; content:!"|FF D8|"; within:2; metadata:service smtp; reference:cve,2016-5652; reference:url,www.talosintelligence.com/reports/TALOS-2016-0187/; classtype:attempted-user; sid:40526; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF tiff2pdf JPEG compression tables heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|03 01 03 00 01 00 00 00 07 00 00 00|"; content:"|5B 01 02 00|"; within:500; distance:-250; byte_jump:4,4,relative,little,from_beginning; isdataat:2,relative; content:!"|FF D8|"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5652; reference:url,www.talosintelligence.com/reports/TALOS-2016-0187/; classtype:attempted-user; sid:40525; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE OpenJPEG JPEG2000 MCC record parsing heap memory corruption attempt"; flow:to_server,established; file_data; content:"jp2c|FF 4F FF 51|"; content:"|FF 75|"; within:500; content:"|00|"; within:1; distance:2; byte_jump:2,-3,relative,post_offset -2; content:"|FF 75|"; within:2; content:"|00|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0193/; classtype:attempted-user; sid:40315; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE OpenJPEG JPEG2000 MCC record parsing heap memory corruption attempt"; flow:to_client,established; file_data; content:"jp2c|FF 4F FF 51|"; content:"|FF 75|"; within:500; content:"|00|"; within:1; distance:2; byte_jump:2,-3,relative,post_offset -2; content:"|FF 75|"; within:2; content:"|00|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0193/; classtype:attempted-user; sid:40314; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE FreeImage library XPM handling out of bounds write attempt"; flow:to_server,established; file_data; content:" XPM "; depth:25; fast_pattern; content:"char"; pcre:"/\x2f\x2a\s+XPM\s+\x2a\x2f[^\x7b]*?\x7b\s*\x22\s*(\d+\s+){3}\d{4}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5684; reference:url,www.talosintelligence.com/reports/TALOS-2016-0189; classtype:attempted-user; sid:39884; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE FreeImage library XPM handling out of bounds write attempt"; flow:to_client,established; file_data; content:" XPM "; depth:25; fast_pattern; content:"char"; pcre:"/\x2f\x2a\s+XPM\s+\x2a\x2f[^\x7b]*?\x7b\s*\x22\s*(\d+\s+){3}\d{4}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5684; reference:url,www.talosintelligence.com/reports/TALOS-2016-0189; classtype:attempted-user; sid:39883; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 06 00 03 00 00 00 01 00 05 00 00|"; fast_pattern:only; content:"|01 15 00 03 00 00 00 01|"; byte_test:2,<,4,0,relative; metadata:service smtp; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39676; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; fast_pattern:only; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,4,0,relative,little; metadata:service smtp; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39675; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 06 00 03 00 00 00 01 00 05 00 00|"; fast_pattern:only; content:"|01 15 00 03 00 00 00 01|"; byte_test:2,<,4,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39674; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; fast_pattern:only; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,4,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39673; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple OSX EXR image invalid box2i attribute heap buffer overflow attempt"; flow:to_server,established; file_data; content:"v/1|01|"; depth:4; content:"box2i|00|"; content:!"|10 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4629; reference:url,www.talosintelligence.com/reports/TALOS-2016-0180; classtype:attempted-user; sid:39635; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple OSX EXR image invalid box2i attribute heap buffer overflow attempt"; flow:to_client,established; file_data; content:"v/1|01|"; depth:4; content:"box2i|00|"; content:!"|10 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4629; reference:url,www.talosintelligence.com/reports/TALOS-2016-0180; classtype:attempted-user; sid:39634; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39632; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39631; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39630; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39629; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39628; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39627; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39626; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39625; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39624; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39623; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205/; classtype:attempted-user; sid:39622; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39621; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39620; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39619; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39618; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39617; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39616; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:cve,2017-2870; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; reference:url,www.talosintelligence.com/reports/TALOS-2017-0377; classtype:attempted-user; sid:39615; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39614; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39613; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39612; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39611; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39610; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39609; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39608; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:cve,2017-2870; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; reference:url,www.talosintelligence.com/reports/TALOS-2017-0377; classtype:attempted-user; sid:39607; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39606; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39605; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39604; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39603; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39602; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39601; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple OSX EXR image tile size heap buffer overflow attempt"; flow:to_server,established; file_data; content:"v/1|01|"; depth:4; content:"compression|00 01 00 00 00 07|"; fast_pattern:only; content:"tiledesc|00|"; byte_test:1,&,0x80,7,relative; metadata:service smtp; reference:cve,2016-4630; reference:url,www.talosintelligence.com/reports/TALOS-2016-0181; classtype:attempted-user; sid:39600; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple OSX EXR image tile size heap buffer overflow attempt"; flow:to_client,established; file_data; content:"v/1|01|"; depth:4; content:"compression|00 01 00 00 00 07|"; fast_pattern:only; content:"tiledesc|00|"; byte_test:1,&,0x80,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4630; reference:url,www.talosintelligence.com/reports/TALOS-2016-0181; classtype:attempted-user; sid:39599; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|04 00|"; within:2; distance:26; content:"|02 00 00 00|"; within:4; distance:28; metadata:service smtp; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39596; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|08 00|"; within:2; distance:26; content:"|01 00 00 00|"; within:4; distance:28; metadata:service smtp; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39595; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|04 00|"; within:2; distance:26; content:"|02 00 00 00|"; within:4; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39594; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|08 00|"; within:2; distance:26; content:"|01 00 00 00|"; within:4; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39593; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF memory corruption attempt"; flow:to_server,established; file_data; content:"|02 84 BC 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9 C0 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3050; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42219; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed GIF memory corruption attempt"; flow:to_client,established; file_data; content:"|02 84 BC 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9 C0 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3050; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42218; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt"; flow:to_server,established; file_data; content:"|A0 02 00 04 00 00 00 01 00 00 01 21 A0 03 00 04 00 00 00 01 00 00 01 04 00 00 00 00 FF DB 00 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3051; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42325; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt"; flow:to_client,established; file_data; content:"|A0 02 00 04 00 00 00 01 00 00 01 21 A0 03 00 04 00 00 00 01 00 00 01 04 00 00 00 00 FF DB 00 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3051; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42324; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|00 2C|"; byte_test:1,<,0xFF,10,relative; byte_jump:1,10,relative; content:!"|00|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2790; classtype:denial-of-service; sid:42464; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|00 2C|"; byte_test:1,<,0xFF,10,relative; byte_jump:1,10,relative; content:!"|00|"; within:1; metadata:service smtp; reference:cve,2015-2790; classtype:denial-of-service; sid:42463; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_server,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 17|"; byte_test:4,>,2,2,relative; byte_test:4,<,200,6,relative; metadata:service smtp; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42847; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_client,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 17|"; byte_test:4,>,2,2,relative; byte_test:4,<,200,6,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42846; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|17 01|"; byte_test:4,>,2,2,relative,little; byte_test:4,<,200,6,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42845; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|17 01|"; byte_test:4,>,2,2,relative,little; byte_test:4,<,200,6,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42844; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"MM|2A 00|"; depth:4; content:"|01 53 00 03|"; distance:0; byte_test:4,>,2,0,relative,big; byte_jump:4,4,relative,big,from_beginning; byte_test:2,>,1,0,relative,big; metadata:service smtp; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42940; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 53 00 03|"; distance:0; byte_test:4,>,2,0,relative,big; byte_jump:4,4,relative,big,from_beginning; byte_test:2,>,1,0,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42939; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps|file.tiff.little; file_data; content:"|53 01 03 00|"; byte_test:4,>,2,0,relative,little; byte_jump:4,4,relative,little,from_beginning; byte_test:2,>,1,0,relative,little; metadata:service smtp; reference:cve,2017-16381; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42938; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps|file.tiff.little; file_data; content:"|53 01 03 00|"; byte_test:4,>,2,0,relative,little; byte_jump:4,4,relative,little,from_beginning; byte_test:2,>,1,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16381; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42937; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE multiple products PNG processing buffer overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; pcre:"/\x89PNG\x0D\x0A\x1A\x0A\x00\x00\x00\x0DIHDR([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34240; reference:cve,2009-1097; reference:cve,2017-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43399; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|40 09|"; byte_test:4,>,0xF0000000,19,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43362; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|41 0B|"; byte_test:4,>,0xF0000000,23,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43361; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|40 09|"; byte_test:4,>,0xF0000000,19,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43360; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|41 0B|"; byte_test:4,>,0xF0000000,23,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43359; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"II"; within:2; distance:2; byte_jump:4,2,relative,little,post_offset -4; byte_test:2,>,12,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43098; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"II"; within:2; distance:2; byte_jump:4,2,relative,little,post_offset -4; byte_test:2,>,12,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43097; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"MM"; within:2; distance:2; byte_jump:4,2,relative,post_offset -4; byte_test:2,>,12,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43096; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"MM"; within:2; distance:2; byte_jump:4,2,relative,post_offset -4; byte_test:2,>,12,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43095; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|D8 00 00 00 03 00 00 21 E0 00 00 00 00 00 00 24 28 01 00 00 01 00 00 24 5C 01 00 00 02 00 00 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1768; classtype:attempted-admin; sid:43052; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|D8 00 00 00 03 00 00 21 E0 00 00 00 00 00 00 24 28 01 00 00 01 00 00 24 5C 01 00 00 02 00 00 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1768; classtype:attempted-admin; sid:43051; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt"; flow:to_server,established; file_data; content:"GIF89"; depth:5; content:"|21 00|"; within:1024; content:"|2C 00 00 00 00 00 00 00 00|"; within:1024; byte_test:1,>=,0x85,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8730; reference:url,www.talosintelligence.com/reports/TALOS-2016-0244/; classtype:attempted-user; sid:42141; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt"; flow:to_client,established; file_data; content:"GIF89"; depth:5; content:"|21 00|"; within:1024; content:"|2C 00 00 00 00 00 00 00 00|"; within:1024; byte_test:1,>=,0x85,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8730; reference:url,www.talosintelligence.com/reports/TALOS-2016-0244/; classtype:attempted-user; sid:42140; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 00 00 03 00 00 00 01|"; content:"|01 01 00 01 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42091; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|00 01 03 00 01 00 00 00|"; content:"|01 01 01 00 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42090; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 00 00 03 00 00 00 01|"; content:"|01 01 00 01 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42089; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|00 01 03 00 01 00 00 00|"; content:"|01 01 01 00 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42088; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning,little; content:"|FE 00 04 00|"; within:100; byte_test:1,>,0x7F,3,relative; byte_test:1,>,0x7F,7,relative; metadata:service smtp; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42087; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning; content:"|00 FE 00 04|"; within:100; byte_test:1,>,0x7F,0,relative; byte_test:1,>,0x7F,4,relative; metadata:service smtp; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42086; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning,little; content:"|FE 00 04 00|"; within:100; byte_test:1,>,0x7F,3,relative; byte_test:1,>,0x7F,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42085; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning; content:"|00 FE 00 04|"; within:100; byte_test:1,>,0x7F,0,relative; byte_test:1,>,0x7F,4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42084; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,2,ymin,relative,little; byte_test:2,<,ymin,2,relative,little; metadata:service smtp; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43874; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,2,ymin,relative,little; byte_test:2,<,ymin,2,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43873; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,0,xmin,relative,little; byte_test:2,<,xmin,2,relative,little; metadata:service smtp; reference:cve,2017-3124; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43872; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,0,xmin,relative,little; byte_test:2,<,xmin,2,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3124; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43871; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|00 00 1B 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|00 00|"; within:2; distance:6; content:"|00 00|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3123; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43866; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|00 00 1B 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|00 00|"; within:2; distance:6; content:"|00 00|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3123; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43865; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_server,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,24,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43911; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_server,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43910; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_client,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,24,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43909; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_client,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43908; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|40 00 00 00 18 00 00 00|"; byte_test:4,>,0xFFFFFF,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11214; reference:cve,2018-15986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43903; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|40 00 00 00 18 00 00 00|"; byte_test:4,>,0xFFFFFF,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11214; reference:cve,2018-15986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43902; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 1C 00 03 00 00 00 01|"; content:!"|00 01 00 00|"; within:4; metadata:service smtp; reference:cve,2017-11234; reference:cve,2017-16396; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44026; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 1C 00 03 00 00 00 01|"; content:!"|00 01 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11234; reference:cve,2017-16396; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44025; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|1C 01 03 00 01 00 00 00|"; content:!"|01 00 00 00|"; within:4; metadata:service smtp; reference:cve,2017-11234; reference:cve,2018-15927; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44024; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|1C 01 03 00 01 00 00 00|"; content:!"|01 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11234; reference:cve,2018-15927; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44023; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE malformed png missing IHDR"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"|00 00 00 0D|IHDR"; within:9; metadata:service smtp; classtype:attempted-user; sid:44020; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE malformed png missing IHDR"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"|00 00 00 0D|IHDR"; within:9; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:44019; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,4,from_beginning; content:"|01 40 00 03|"; distance:0; byte_extract:4,0,count,relative,multiplier 2; byte_jump:4,0,relative,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2019-7037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:44062; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,4,from_beginning; content:"|01 40 00 03|"; distance:0; byte_extract:4,0,count,relative,multiplier 2; byte_jump:4,0,relative,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2019-7037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:44061; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established,only_stream; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,4,little,from_beginning; content:"|40 01 03 00|"; distance:0; byte_extract:4,0,count,relative,multiplier 2,little; byte_jump:4,0,relative,little,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2018-12859; reference:cve,2018-15954; reference:cve,2018-15955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44060; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established,only_stream; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,4,little,from_beginning; content:"|40 01 03 00|"; distance:0; byte_extract:4,0,count,relative,multiplier 2,little; byte_jump:4,0,relative,little,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2018-12859; reference:cve,2018-15954; reference:cve,2018-15955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44059; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00|"; content:"|FF FF FF|"; distance:12; content:"|00|"; within:1; distance:2; pcre:"/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44128; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".png"; within:25; nocase; file_data; content:!"|89|PNG|0D 0A 1A 0A|"; depth:8; metadata:service smtp; reference:cve,2012-2940; classtype:denial-of-service; sid:44286; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Free Opener malformed JPEG file buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".jpg"; within:25; fast_pattern; nocase; file_data; content:!"|FF D8 FF|"; depth:3; metadata:service smtp; reference:url,www.softpedia.com/get/File-managers/Free-Opener.shtml; classtype:attempted-user; sid:44355; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 9A 00 9F 00 A4 00 A9 00 AE 00 B2 00 B7 00 BC 00 C1 00 C6 00 CB 00 D0 00 D5 00 DB 00 E0 00 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30597; reference:bugtraq,30598; reference:cve,2008-3018; reference:cve,2008-3021; classtype:attempted-user; sid:44456; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 9A 00 9F 00 A4 00 A9 00 AE 00 B2 00 B7 00 BC 00 C1 00 C6 00 CB 00 D0 00 D5 00 DB 00 E0 00 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30597; reference:bugtraq,30598; reference:cve,2008-3018; reference:cve,2008-3021; classtype:attempted-user; sid:44455; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 0B 01 00 00 6B 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11248; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44551; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 0B 01 00 00 6B 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11248; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44550; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt"; flow:to_server,established; file_data; content:"|F5 57 13 0F 9E 9C 3C 05 8F 0D EC 45 49 71 E1 3C 67 82 B2 22 4E DA 34 52 49 56 61 56 98 DD C5 78 C2 D4 82 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16410; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44862; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt"; flow:to_client,established; file_data; content:"|F5 57 13 0F 9E 9C 3C 05 8F 0D EC 45 49 71 E1 3C 67 82 B2 22 4E DA 34 52 49 56 61 56 98 DD C5 78 C2 D4 82 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16410; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44861; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds"; flow:to_server,established; content:"|ED ED 72 B7 87 C9 5F 5D AD 97 B7 EB FD B9 CD DF 9F D0 7B 4B CE F6 B0 1F 1C 59 F5 ED BA EF FF 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16399; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44885; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds"; flow:to_client,established; content:"|ED ED 72 B7 87 C9 5F 5D AD 97 B7 EB FD B9 CD DF 9F D0 7B 4B CE F6 B0 1F 1C 59 F5 ED BA EF FF 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16399; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44884; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt"; flow:to_server,established; flowbits:isset, file.emf; file_data; content:"|51 00 00 00 88 02 00 00 78 1E 00 00 CC 10 00 00 07 20 00 00 5B 12 00 00 78 1E 00 00 CC 10 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44881; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt"; flow:to_client,established; flowbits:isset, file.emf; file_data; content:"|51 00 00 00 88 02 00 00 78 1E 00 00 CC 10 00 00 07 20 00 00 5B 12 00 00 78 1E 00 00 CC 10 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44880; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|06 00 00 00 00 00 E1 41 00 00 C8 3F 00 00 48 40 00 00 96 40 00 00 2F 41 00 00 C8 3F 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16416; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44970; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|06 00 00 00 00 00 E1 41 00 00 C8 3F 00 00 48 40 00 00 96 40 00 00 2F 41 00 00 C8 3F 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16416; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44969; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt"; flow:to_server,established; file_data; content:"|2F 00 00 27 10 00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 00 04 74 00 00 00 00 00 00 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16382; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44960; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt"; flow:to_client,established; file_data; content:"|2F 00 00 27 10 00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 00 04 74 00 00 00 00 00 00 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16382; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44959; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_server,established; flowbits:isset, file.emf; file_data; content:"|FF 7F 00 00 9C 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44930; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_client,established; flowbits:isset, file.emf; file_data; content:"|FF 7F 00 00 9C 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44929; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|FF ED|"; byte_test:2,<,28,0,relative; content:"Photoshop 3.0|00|8BIM"; within:18; distance:2; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16386; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44913; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF ED|"; byte_test:2,<,28,0,relative; content:"Photoshop 3.0|00|8BIM"; within:18; distance:2; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16386; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44912; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|80 75 A8 1B 4A 24 C2 01 04 00 00 00 41 41 41 41 04 00 00 00 00 00 E0 40 13 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 13 00 00 00 02 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1767; classtype:attempted-admin; sid:45186; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|80 75 A8 1B 4A 24 C2 01 04 00 00 00 41 41 41 41 04 00 00 00 00 00 E0 40 13 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 13 00 00 00 02 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1767; classtype:attempted-admin; sid:45185; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt"; flow:to_client,established; content:"|80 80 FF FF FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2004-0691; classtype:attempted-user; sid:45306; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt"; flow:to_server,established; content:"|80 80 FF FF FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0691; classtype:attempted-user; sid:45305; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt"; flow:to_server,established; file_data; content:"|04 00 00 00 7C 60 00 00 1C 02 00 00 00 00 00 00 00 00 00 08 00 08 10 00 10 19 00 19 21 00 21 29|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4881; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45685; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt"; flow:to_client,established; file_data; content:"|04 00 00 00 7C 60 00 00 1C 02 00 00 00 00 00 00 00 00 00 08 00 08 10 00 10 19 00 19 21 00 21 29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4881; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45684; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"Exif"; nocase; content:"|01 31 00 02|"; within:4; distance:60; fast_pattern; byte_test:4,>,0xFFFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4909; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45815; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"Exif"; nocase; content:"|01 31 00 02|"; within:4; distance:60; fast_pattern; byte_test:4,>,0xFFFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4909; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45814; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt"; flow:to_server,established; file_data; content:"|00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 26 E8 F0 00 00 27 10 00 00 00 00 00 00 27 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4905; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45792; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt"; flow:to_client,established; file_data; content:"|00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 26 E8 F0 00 00 27 10 00 00 00 00 00 00 27 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4905; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45791; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; within:500; distance:-500; isdataat:SftOffset,relative; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45789; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; depth:4; isdataat:SftOffset; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45788; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Gifsicle gifread double-free attempt"; flow:to_server,established,only_stream; file_data; content:"GIF"; depth:3; byte_test:1,!&,0x80,7,relative; content:"|21 CE|"; within:2; distance:10; content:"|00|"; distance:0; isdataat:1,relative; isdataat:!500,relative; content:!"|2C|"; metadata:service smtp; reference:cve,2017-18120; classtype:denial-of-service; sid:46078; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Gifsicle gifread double-free attempt"; flow:to_client,established,only_stream; file_data; content:"GIF"; depth:3; byte_test:1,!&,0x80,7,relative; content:"|21 CE|"; within:2; distance:10; content:"|00|"; distance:0; isdataat:1,relative; isdataat:!500,relative; content:!"|2C|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-18120; classtype:attempted-user; sid:46077; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|A4 05 00 03 FF|"; metadata:service smtp; reference:cve,2018-4973; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46726; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|A4 05 00 03 FF|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4973; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46725; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46720; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46719; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46718; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46717; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|28 00 00 00 25 01 00 00 61 E9 00 00 01 00 20 00 00 00 00 00 14 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4963; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46702; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|28 00 00 00 25 01 00 00 61 E9 00 00 01 00 20 00 00 00 00 00 14 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4963; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46701; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|18 40|"; fast_pattern; content:"|00 00 00 00 00 00 00 00 02 00 00 00|"; within:12; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4976; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46693; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|18 40|"; fast_pattern; content:"|00 00 00 00 00 00 00 00 02 00 00 00|"; within:12; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4976; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46692; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|A5 3A 41 12 60 22 4B 59 0D CC C0 72 6D 43 EE 81 99 4C 05 18 1C 0A 14 02 4C E4 81 29 19 98 8C A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46689; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|A5 3A 41 12 60 22 4B 59 0D CC C0 72 6D 43 EE 81 99 4C 05 18 1C 0A 14 02 4C E4 81 29 19 98 8C A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46688; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,132,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46674; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,128,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46673; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,132,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46672; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,128,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46671; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,132,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46670; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,128,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46669; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,132,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46668; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,128,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46667; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|2A 40|"; content:"|24 00 00 00|"; within:6; distance:2; content:"|02 10 C0 DB 04 00 00 00 00 00 00 00|"; content:"|00 00 00 00 80 68 B2 48|"; byte_test:1,!&,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4970; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46876; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|2A 40|"; content:"|24 00 00 00|"; within:6; distance:2; content:"|02 10 C0 DB 04 00 00 00 00 00 00 00|"; content:"|00 00 00 00 80 68 B2 48|"; byte_test:1,!&,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4970; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46875; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|51 00 00 00 D8 03 00 00 D9 03 00 00 E3 02 00 00 F4 03 00 00 F8 02 00 00 D9 03 00 00 E3 02 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:47060; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|51 00 00 00 D8 03 00 00 D9 03 00 00 E3 02 00 00 F4 03 00 00 F8 02 00 00 D9 03 00 00 E3 02 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:47059; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt"; flow:to_server,established,only_stream; file_data; content:"|01 DA|"; depth:2; isdataat:2,relative; content:!"|00|"; within:1; content:!"|01|"; within:1; content:!"|01|"; within:1; distance:1; content:!"|02|"; within:1; distance:1; metadata:service smtp; reference:cve,2018-15953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:48135; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt"; flow:to_client,established,only_stream; file_data; content:"|01 DA|"; depth:2; isdataat:2,relative; content:!"|00|"; within:1; content:!"|01|"; within:1; content:!"|01|"; within:1; distance:1; content:!"|02|"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:48134; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E2|"; byte_test:2,<,16,0,relative; content:"ICC_PROFILE|00 01 01|"; within:16; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12855; reference:cve,2018-12856; reference:cve,2018-19703; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48044; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E2|"; byte_test:2,<,16,0,relative; content:"ICC_PROFILE|00 01 01|"; within:16; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12855; reference:cve,2018-12856; reference:cve,2018-19703; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48043; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed BMP out of bounds read attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; content:"|01 00 00 00|"; within:12; distance:12; byte_extract:4,0,ImageSize,relative,little; isdataat:!ImageSize; metadata:service smtp; reference:cve,2018-5051; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48040; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed BMP out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; depth:2; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; content:"|01 00 00 00|"; within:12; distance:12; byte_extract:4,0,ImageSize,relative,little; isdataat:!ImageSize; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5051; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48039; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00 00 00 80 3F 00 F0 8C 44 00 C0 85 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12879; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48032; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00 00 00 80 3F 00 F0 8C 44 00 C0 85 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12879; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48031; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getAnnots()"; content:".contents"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15922; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48017; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getAnnots()"; content:".contents"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15922; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48016; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 1A 00 05 00 00 00 01|"; distance:0; byte_extract:4,0,offset,relative; isdataat:!offset; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48014; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 1A 00 05 00 00 00 01|"; distance:0; byte_extract:4,0,offset,relative; isdataat:!offset; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48013; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|1A 01 05 00 01 00 00 00|"; distance:0; byte_extract:4,0,offset,relative,little; isdataat:!offset; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48012; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|1A 01 05 00 01 00 00 00|"; distance:0; byte_extract:4,0,offset,relative,little; isdataat:!offset; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48011; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro integer overflow attempt"; flow:to_server,established; file_data; content:"|50 00 00 00 B0 03 00 00 00 00 00 80 FF FF FF FF 0C 11 F8 C9 00 00 00 80 24 11 F8 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12881; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48010; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro integer overflow attempt"; flow:to_client,established; file_data; content:"|50 00 00 00 B0 03 00 00 00 00 00 80 FF FF FF FF 0C 11 F8 C9 00 00 00 80 24 11 F8 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12881; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48009; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D engine untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"|05 E2 B3 9B 31 30 FC 38 05 10 60 00 41 85 0E 98 00 03 48 89 FA B4 97 01 08 78 9D 19 C0 E0 D3 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15937; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48003; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D engine untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"|05 E2 B3 9B 31 30 FC 38 05 10 60 00 41 85 0E 98 00 03 48 89 FA B4 97 01 08 78 9D 19 C0 E0 D3 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15937; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48002; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds read attempt"; flow:to_server,established; file_data; content:"|A2 00 F0 D7 99 00 F3 E0 B0 00 F4 E2 B6 00 F5 E4 B9 00 F5 E4 BB 00 F5 E5 BD 00 FA F2 DD 00 FA F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15943; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47998; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds read attempt"; flow:to_client,established; file_data; content:"|A2 00 F0 D7 99 00 F3 E0 B0 00 F4 E2 B6 00 F5 E4 B9 00 F5 E4 BB 00 F5 E5 BD 00 FA F2 DD 00 FA F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15943; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47997; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds write attempt"; flow:to_server,established; file_data; content:"|01 2F 01 91 05 93 01 2A 02 8C 01 0C 02 93 02 8C 00 07 2F 91 93 23 8C 08 0C 00 03 93 00 04 05 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15944; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47996; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds write attempt"; flow:to_client,established; file_data; content:"|01 2F 01 91 05 93 01 2A 02 8C 01 0C 02 93 02 8C 00 07 2F 91 93 23 8C 08 0C 00 03 93 00 04 05 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15944; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47995; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF engine type confusion attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|73 B4 8F 54 09 41 F8 85 30 67 F3 BC 10 4A 28 6E C3 20 01 A0 8C 8A DF 9E 2E 12 40 FC 2C AC 72 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12876; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47992; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF engine type confusion attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|73 B4 8F 54 09 41 F8 85 30 67 F3 BC 10 4A 28 6E C3 20 01 A0 8C 8A DF 9E 2E 12 40 FC 2C AC 72 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12876; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47991; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|61 38 34 0B 77 38 34 0B 01 00 00 80 00 00 00 7F C5 38 34 0B D0 38 34 0B 00 00 00 80 FF FF 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12844; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47982; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|61 38 34 0B 77 38 34 0B 01 00 00 80 00 00 00 7F C5 38 34 0B D0 38 34 0B 00 00 00 80 FF FF 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12844; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47981; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|92 B3 D3 F4 78 98 B9 D9 5D 7D 9E BE 42 63 83 A4 27 48 68 89 0D 2D 39 59 65 E9 09 2A 4A CE DA FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12843; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47980; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|92 B3 D3 F4 78 98 B9 D9 5D 7D 9E BE 42 63 83 A4 27 48 68 89 0D 2D 39 59 65 E9 09 2A 4A CE DA FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12843; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47979; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|AA 57 00 80 BC EC 5E BE 00 90 FF FF 00 80 00 80 F1 E9 B7 69 00 00 40 72 00 80 52 07 FF 7F 96 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12845; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47972; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|AA 57 00 80 BC EC 5E BE 00 90 FF FF 00 80 00 80 F1 E9 B7 69 00 00 40 72 00 80 52 07 FF 7F 96 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12845; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47971; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 0A 00 03|"; distance:0; content:!"|00 00 00 01|"; within:4; byte_test:2,>,2,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47956; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 0A 00 03|"; distance:0; content:!"|00 00 00 01|"; within:4; byte_test:2,>,2,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47955; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|0A 01 03 00|"; distance:0; content:!"|01 00 00 00|"; within:4; byte_test:2,>,2,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47954; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|0A 01 03 00|"; distance:0; content:!"|01 00 00 00|"; within:4; byte_test:2,>,2,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47953; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"|00 20 00 00 00 00 60 40 14 AE DF C0 00 00 00 00 A4 70 7D BF 00 00 60 C0 14 AE DF C0 00 01 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15926; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47950; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"|00 20 00 00 00 00 60 40 14 AE DF C0 00 00 00 00 A4 70 7D BF 00 00 60 C0 14 AE DF C0 00 01 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15926; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47949; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Distiller PostScript stack overflow attempt"; flow:to_server,established; file_data; content:"/ModificationDate"; fast_pattern; content:"(D:"; within:15; isdataat:32,relative; content:!"/"; within:32; metadata:service smtp; reference:cve,2018-12838; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47944; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Distiller PostScript stack overflow attempt"; flow:to_client,established; file_data; content:"/ModificationDate"; fast_pattern; content:"(D:"; within:15; isdataat:32,relative; content:!"/"; within:32; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12838; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47943; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS heap overflow attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C FF FF 00 00 FF EE 00 0E 41 64 6F 62 65 00 64 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12837; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47942; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS heap overflow attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C FF FF 00 00 FF EE 00 0E 41 64 6F 62 65 00 64 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12837; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47941; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF+ GIF parsing out of bounds read attempt"; flow:to_server,established; file_data; content:"|B4 00 F4 00 00 07 FF 80 07 12 44 14 85 86 14 0B 0B 15 8B 0D 8D 11 05 05 44 36 07 94 94 3C 97 98|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12834; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47940; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF+ GIF parsing out of bounds read attempt"; flow:to_client,established; file_data; content:"|B4 00 F4 00 00 07 FF 80 07 12 44 14 85 86 14 0B 0B 15 8B 0D 8D 11 05 05 44 36 07 94 94 3C 97 98|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12834; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47939; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D Engine untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"|5E 62 8D 5C 9D C5 F2 58 83 18 A7 C3 AB 25 F5 B8 67 80 8A DC 0B 00 C0 23 2B 06 00 40 6E CC 70 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15931; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47933; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D Engine untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"|5E 62 8D 5C 9D C5 F2 58 83 18 A7 C3 AB 25 F5 B8 67 80 8A DC 0B 00 C0 23 2B 06 00 40 6E CC 70 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15931; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47932; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|10 00 02 01 03 FA 01 03 03 02 03 03 03 02 06 09 75 01 02 03 04 11 05 12 06 21 07 07 07 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12785; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47912; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|10 00 02 01 03 FA 01 03 03 02 03 03 03 02 06 09 75 01 02 03 04 11 05 12 06 21 07 07 07 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12785; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47911; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,39,relative; metadata:service smtp; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47910; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,39,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47909; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,43,relative; metadata:service smtp; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47908; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,43,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47907; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|15 40|"; within:250; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12795; reference:cve,2018-16014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:47892; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|15 40|"; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12795; reference:cve,2018-16014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:47891; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; byte_test:1,!&,128,23,relative; content:"|00 00|"; within:2; distance:30; content:"|00 00|"; within:2; distance:6; byte_test:1,&,128,3,relative; content:!"|00 00|"; within:2; distance:58; metadata:service smtp; reference:cve,2018-12788; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47875; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; byte_test:1,!&,128,23,relative; content:"|00 00|"; within:2; distance:30; content:"|00 00|"; within:2; distance:6; byte_test:1,&,128,3,relative; content:!"|00 00|"; within:2; distance:58; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12788; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47874; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file object out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"|05 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FD 58 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12848; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47857; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file object out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|05 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FD 58 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12848; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47856; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SGI RGB run-length encoding out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 06 00 82 05 03 06 00 9A 02 03 06 08 09 08 06 04 01 00 01 04 07 0A 0E 11 12 14 12 12 14 18 1C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5054; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47839; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SGI RGB run-length encoding out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 06 00 82 05 03 06 00 9A 02 03 06 08 09 08 06 04 01 00 01 04 07 0A 0E 11 12 14 12 12 14 18 1C|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5054; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47838; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawImagePoints out of bounds read attempt"; flow:to_server,established; file_data; content:"|1B 40 03 40 34 00 00 00 28 00 00 00 FF FF FF FF 02 00 00 00 00 00 00 BF 00 00 00 BF 00 00 90 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47828; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawImagePoints out of bounds read attempt"; flow:to_client,established; file_data; content:"|1B 40 03 40 34 00 00 00 28 00 00 00 FF FF FF FF 02 00 00 00 00 00 00 BF 00 00 00 BF 00 00 90 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47827; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows malformed TIFF remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff; content:"|00 16 01 03 00 01 00 00 00 E8 03 00 00 1C 01 03 00 01 00 00 00 02 00 00 00 17 01 04 00 03 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8475; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8475; classtype:attempted-user; sid:47765; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows malformed TIFF remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff; content:"|00 16 01 03 00 01 00 00 00 E8 03 00 00 1C 01 03 00 01 00 00 00 02 00 00 00 17 01 04 00 03 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8475; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8475; classtype:attempted-user; sid:47764; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 8C C8 FF CB DA EE F5 FF FF FF 9B C1 FF F8 F8 F8 F8 F8 F8 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5069; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47397; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 8C C8 FF CB DA EE F5 FF FF FF 9B C1 FF F8 F8 F8 F8 F8 F8 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5069; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47396; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro use after free attempt"; flow:to_server,established; file_data; content:"draggable = true|3B 0A| htmlvar00"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12791; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47383; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro use after free attempt"; flow:to_client,established; file_data; content:"draggable = true|3B 0A| htmlvar00"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12791; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47382; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt"; flow:to_server,established; file_data; content:"8BPS|00 01|"; depth:6; content:!"|00 02|"; within:2; distance:18; content:!"|00 08|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; distance:20; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15938; reference:cve,2018-5042; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47368; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt"; flow:to_client,established; file_data; content:"8BPS|00 01|"; depth:6; content:!"|00 02|"; within:2; distance:18; content:!"|00 08|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; distance:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15938; reference:cve,2018-5042; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47367; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 06 00 03|"; within:numentries; fast_pattern; content:!"|00 00 00 01|"; within:4; metadata:service smtp; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47362; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 06 00 03|"; within:numentries; fast_pattern; content:!"|00 00 00 01|"; within:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47361; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|06 01 03 00|"; within:numentries; fast_pattern; content:!"|01 00 00 00|"; within:4; metadata:service smtp; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47360; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|06 01 03 00|"; within:numentries; fast_pattern; content:!"|01 00 00 00|"; within:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47359; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|0A 05 01 08 00 00 00 00 3F 01 C7 00 96 00 96 00 00 00 00 08 08 08 10 10 10 18 18 18 20 20 20 28|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5039; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47357; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|0A 05 01 08 00 00 00 00 3F 01 C7 00 96 00 96 00 00 00 00 08 08 08 10 10 10 18 18 18 20 20 20 28|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5039; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47356; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_server,established; file_data; content:"|E2 BC 85 6C 56 26 C4 4F 21 36 48 CC 48 62 43 DC 2F B1 4D 62 D1 D3 01 C0 C9 4A E6 B9 2C 46 3C C4|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47353; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_client,established; file_data; content:"|E2 BC 85 6C 56 26 C4 4F 21 36 48 CC 48 62 43 DC 2F B1 4D 62 D1 D3 01 C0 C9 4A E6 B9 2C 46 3C C4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47352; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; depth:10; content:"|01 0E 00 02|"; distance:0; content:!"|00|"; within:1; metadata:service smtp; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47351; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; depth:10; content:"|01 0E 00 02|"; distance:0; content:!"|00|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47350; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|EE 23 7B 91 07 13 9D 8F EA 81 73 E9 8A 63 96 7C B9 F9 8E BB A1 BA 62 24 30 C3 BF AC 67 E5 EA 29|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5033; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47344; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|EE 23 7B 91 07 13 9D 8F EA 81 73 E9 8A 63 96 7C B9 F9 8E BB A1 BA 62 24 30 C3 BF AC 67 E5 EA 29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5033; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47343; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 01 00 03 00 00 00 01 00 01|"; within:numentries; metadata:service smtp; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47331; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|01 01 03 00 01 00 00 00 01 00|"; within:numentries; metadata:service smtp; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47330; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 01 00 03 00 00 00 01 00 01|"; within:numentries; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47329; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|01 01 03 00 01 00 00 00 01 00|"; within:numentries; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47328; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt"; flow:to_server,established; file_data; content:"|04 0A 00 0A FF 0D 00 04 FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05 FF 04 0D 00 08 FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5046; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47315; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt"; flow:to_client,established; file_data; content:"|04 0A 00 0A FF 0D 00 04 FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05 FF 04 0D 00 08 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5046; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47314; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|FF ED|"; distance:0; byte_extract:2,0,app13_size,relative; content:"8BIM|04 25|"; within:app13_size; content:!"|00|"; within:1; distance:2; metadata:service smtp; reference:cve,2018-5029; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47313; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|FF ED|"; distance:0; byte_extract:2,0,app13_size,relative; content:"8BIM|04 25|"; within:app13_size; fast_pattern; content:!"|00|"; within:1; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5029; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47312; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|00 2C 00 00 00 00 20 00 20 00 80 02 71 9C 8F A9 CB 8D 00 0C 8C AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5050; reference:url,reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47248; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|00 2C 00 00 00 00 20 00 20 00 80 02 71 9C 8F A9 CB 8D 00 0C 8C AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5050; reference:url,reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47247; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EmfPlusDrawImagePoints heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|00 00 80 B3 FF FF 69 43 00 00 80 B3 00 00 80 B3 FF FF 85 42 21 00 00 00 08 00 00 00 62 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5032; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47211; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EmfPlusDrawImagePoints heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|00 00 80 B3 FF FF 69 43 00 00 80 B3 00 00 80 B3 FF FF 85 42 21 00 00 00 08 00 00 00 62 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5032; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47210; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|ED 9F 5E D5 83 3A 22 9A 57 24 8E 32 AB B9 93 A1 E3 FC 2A 1B 26 FC C5 8F 33 CC 5D BC 06 03 B0 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1767; classtype:attempted-admin; sid:47174; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|ED 9F 5E D5 83 3A 22 9A 57 24 8E 32 AB B9 93 A1 E3 FC 2A 1B 26 FC C5 8F 33 CC 5D BC 06 03 B0 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1767; classtype:attempted-admin; sid:47173; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|00 00 00 00 18 72 65 73 20 00 00 00 10 72 65 73 64 24 49 80 00 24 49 80 00 04 04 82 97 D0 25 48|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12790; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47158; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 18 72 65 73 20 00 00 00 10 72 65 73 64 24 49 80 00 24 49 80 00 04 04 82 97 D0 25 48|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12790; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47157; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL heap overflow attempt"; flow:to_server,established; file_data; content:"|20 01 00 00 0F 00 04 0A 00 0A FF 0D 00 ED FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5052; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47130; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL heap overflow attempt"; flow:to_client,established; file_data; content:"|20 01 00 00 0F 00 04 0A 00 0A FF 0D 00 ED FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5052; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47129; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro JPEG Huffman table memory corruption attempt"; flow:to_server,established; file_data; content:"|A7 B7 C7 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E4 92 49 25 A4 E2 A9 24 92 49 4A 49 24 92 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5060; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48220; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro JPEG Huffman table memory corruption attempt"; flow:to_client,established; file_data; content:"|A7 B7 C7 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E4 92 49 25 A4 E2 A9 24 92 49 4A 49 24 92 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5060; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48219; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Graphics component WMF code execution attempt"; flow:to_server,established; file_data; content:"|42 C6 D2 F2 13 96 A2 AE CE DA FB 7E 8A 96 B6 D7 5B 7B 9C BC 2B 4C 57 78 98 07 13 34 54 4B 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8553; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8553; classtype:attempted-user; sid:48375; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Graphics component WMF code execution attempt"; flow:to_client,established; file_data; content:"|42 C6 D2 F2 13 96 A2 AE CE DA FB 7E 8A 96 B6 D7 5B 7B 9C BC 2B 4C 57 78 98 07 13 34 54 4B 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8553; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8553; classtype:attempted-user; sid:48374; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IMAGE Imagemagick XBM tranformation information leak attempt"; flow:to_server,established; file_data; content:"_width"; content:"_height"; content:"_bits"; pcre:"/0x[8-F][0-F]{7}/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-16323; classtype:attempted-recon; sid:48937; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48936; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48935; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48934; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48933; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48932; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48931; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48930; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48929; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48928; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48927; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48926; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48925; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48924; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48923; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48922; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48921; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48920; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48919; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48918; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48917; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48916; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48915; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48914; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48913; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48912; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48911; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48910; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48909; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff.big; content:"|FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,big; byte_test:2,<=,0x214,-8,relative,big; byte_test:2,>=,1,-6,relative,big; byte_test:2,<=,0xc,-6,relative,big; metadata:service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49125; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff.big; content:"|FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,big; byte_test:2,<=,0x214,-8,relative,big; byte_test:2,>=,1,-6,relative,big; byte_test:2,<=,0xc,-6,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49124; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff.little; content:"|00 FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,little; byte_test:2,<=,0x214,-8,relative,little; byte_test:2,>=,1,-6,relative,little; byte_test:2,<=,0xc,-6,relative,little; metadata:service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49123; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff.little; content:"|00 FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,little; byte_test:2,<=,0x214,-8,relative,little; byte_test:2,>=,1,-6,relative,little; byte_test:2,<=,0xc,-6,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49122; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_extract:4,0,bm_width,relative,little; content:"|08 00 01 00 00 00|"; within:6; distance:6; byte_jump:4,10,little,from_beginning; byte_test:1,>,bm_width,0,relative; metadata:service smtp; reference:cve,2013-3663; classtype:attempted-user; sid:49576; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_extract:4,0,bm_width,relative,little; content:"|08 00 01 00 00 00|"; within:6; distance:6; byte_jump:4,10,little,from_beginning; byte_test:1,>,bm_width,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3663; classtype:attempted-user; sid:49575; rev:1;)