# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#----------------------
# BROWSER-CHROME RULES
#----------------------

# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome net-internals uri fragment identifier XSS attempt"; flow:established,to_client; file_data; content:"chrome://net-internals/view-cache/"; nocase; pcre:"/^\x23([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/iR"; metadata:service http; reference:bugtraq,39667; reference:cve,2010-1503; reference:url,code.google.com/p/chromium/issues/detail?id=40137; classtype:attempted-user; sid:23471; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome https spoofing attempt"; flow:to_client,established; file_data; content:"view|2D|source"; nocase; content:"http|3A 2F 2F|"; distance:1; content:"url|3D|https"; distance:0; pcre:"/view\x2Dsource\x3Ahttp\x3A\x2F\x2F[^\x3B]*?url\x3Dhttps/smi"; metadata:service http; reference:url,blog.acrossecurity.com/2012/01/google-chrome-https-address-bar.html; classtype:attempted-recon; sid:21166; rev:3;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FTP handling out-of-bounds array index denial of service attempt"; flow:to_client,established; content:"|22 22|"; pcre:"/^2\d{2}[^\n]*?\x22{2}/"; metadata:service ftp; reference:bugtraq,39183; classtype:attempted-dos; sid:16795; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari Ruby before and after memory corruption"; flow:to_client,established; file_data; content:"<ruby>"; fast_pattern:only; content:"ruby|3A|"; pcre:"/ruby\s*{\s*float\x3a.*?ruby\x3a(before|after).*?(display\x3atable|counter-reset\x3a)/si"; metadata:service http; reference:cve,2011-1440; classtype:attempted-user; sid:29755; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileSystemObject clsid access"; flow:to_client,established; file_data; content:"clsid:0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; metadata:service http; reference:bugtraq,36947; reference:cve,2009-3934; classtype:attempted-user; sid:21446; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome XSSAuditor filter security policy bypass attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"srcdoc"; within:20; nocase; content:"<script>"; within:10; nocase; pcre:"/<iframe[^>]*?srcdoc\s?=\s?[\x22\x27]<script>/smi"; metadata:service http; reference:bugtraq,65066; reference:url,blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html; reference:url,googlechromereleases.blogspot.ca/2014/01/stable-channel-update.html; reference:url,trac.webkit.org/changeset/158676; classtype:attempted-user; sid:30252; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_server,established; file_data; content:"<embed "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31599; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_server,established; file_data; content:"<object "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31598; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_server,established; file_data; content:"<embed|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31597; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_client,established; file_data; content:"<embed|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31596; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_server,established; file_data; content:"<object|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31595; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_client,established; file_data; content:"<object|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31594; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt"; flow:to_server,established; file_data; content:"if (i<50) document.getElementById(|22|iframeSpecial|22|).contentDocument.location = o"; fast_pattern:only; metadata:service smtp; reference:bugtraq,66243; reference:cve,2014-1713; reference:url,code.google.com/p/chromium/issues/detail?id=352374; classtype:attempted-user; sid:32320; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt"; flow:to_client,established; file_data; content:"if (i<50) document.getElementById(|22|iframeSpecial|22|).contentDocument.location = o"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,66243; reference:cve,2014-1713; reference:url,code.google.com/p/chromium/issues/detail?id=352374; classtype:attempted-user; sid:32319; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_client,established; file_data; content:"<object "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:33662; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_client,established; file_data; content:"<embed "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:33661; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome Pepper Flash same-origin-policy bypass attempt"; flow:to_server,established; content:"X-Requested-With: ShockwaveFlash/"; fast_pattern:only; http_header; content:"Referer: "; http_header; content:"Content-Type: multipart/form-data"; http_header; content:"User-Agent: "; http_header; content:"Chrome/"; distance:0; http_header; metadata:service http; reference:cve,2015-0337; classtype:misc-attack; sid:33962; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari runin handling use after free attempt"; flow:to_client,established; file_data; content:"display: run-in|3B|"; content:"display: inline-table|3B|"; distance:0; content:"document.execCommand('removeFormat')|3B|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3068; classtype:attempted-user; sid:23015; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; fast_pattern:only; content:"<script"; nocase; content:"Scripting.FileSystemObject"; distance:0; nocase; content:"</script>"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36947; reference:cve,2009-3931; classtype:attempted-user; sid:21447; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari Ruby before and after memory corruption"; flow:to_client,established; file_data; content:"<ruby>"; fast_pattern:only; content:"ruby|3A|"; pcre:"/(before|after).*?((display\x3atable|counter-reset\x3a)|(counter-reset\x3a|display\x3atable)).*?ruby\s*{\s*float\x3a/siR"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1440; classtype:attempted-user; sid:20579; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; fast_pattern:only; content:"removeChild|28|"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution"; flow:to_client,established; flowbits:isset,file.crx; file_data; content:"|43 72 32 34|"; content:"|95 78 B9 6A 79 B9 00 50 4B 01 02 00 00 14 00 00|"; distance:664; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45788; reference:cve,2011-0470; reference:cve,2011-0471; reference:cve,2011-0472; reference:cve,2011-0473; reference:cve,2011-0474; reference:cve,2011-0475; reference:cve,2011-0476; reference:cve,2011-0477; reference:cve,2011-0478; reference:cve,2011-0479; reference:cve,2011-0480; reference:cve,2011-0481; reference:cve,2011-0482; reference:cve,2011-0483; reference:cve,2011-0484; reference:cve,2011-0485; classtype:attempted-user; sid:19217; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution"; flow:to_client,established; flowbits:isset,file.crx; file_data; content:"|43 72 32 34|"; content:"|07 2A 6F D1 6B B6 E8 CB A4 A9 C4 9C 67 42 1C FE|"; within:16; distance:537; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45788; reference:cve,2011-0470; reference:cve,2011-0471; reference:cve,2011-0472; reference:cve,2011-0473; reference:cve,2011-0474; reference:cve,2011-0475; reference:cve,2011-0476; reference:cve,2011-0477; reference:cve,2011-0478; reference:cve,2011-0479; reference:cve,2011-0480; reference:cve,2011-0481; reference:cve,2011-0482; reference:cve,2011-0483; reference:cve,2011-0484; reference:cve,2011-0485; classtype:attempted-user; sid:19216; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Apple Safari/Google Chrome Webkit memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|dialog|20|style|3D 27|position|3A|relative|27 3E|"; fast_pattern:only; content:"|3C|h|20|style|3D 27|outline|2D|style|3A|auto|27 3E|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43078; reference:cve,2010-1813; classtype:attempted-user; sid:19005; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt"; flow:to_client,established; file_data; content:"|3C|iframe"; nocase; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; within:100; nocase; content:"window.open|28 27|"; within:500; content:"alert|28|document.cookie|29 27|"; within:75; pcre:"/window\.open\x28\x27[\w\W]{0,35}\x3aalert\x28document\.cookie\x29\x27/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt"; flow:to_client,established; file_data; content:"|3C|iframe"; nocase; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; within:100; nocase; content:"window.open|28 27|"; within:500; content:"alert|28|document.cookie|29 27|"; within:75; pcre:"/window\.open\x28\x27[\w\W]{0,35}\x3aalert\x28document\.cookie\x29\x27/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt"; flow:to_server,established; content:"<svg>"; fast_pattern:only; http_uri; content:"<script>"; http_uri; content:"/<"; distance:0; http_uri; metadata:service http, service ssl; reference:url,codereview.chromium.org/1187843005/; reference:url,vulnerable.info/browsers/bypassing-chromes-anti-xss-filter/; classtype:attempted-user; sid:35412; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt"; flow:to_server,established; content:"%3Csvg%3E%"; fast_pattern:only; http_client_body; content:"%3Cscript%3E"; http_client_body; pcre:"/(%2F|\/|\x2f)(%3c|\x3c|\<)/i"; metadata:service http, service ssl; reference:url,codereview.chromium.org/1187843005/; reference:url,vulnerable.info/browsers/bypassing-chromes-anti-xss-filter/; classtype:attempted-user; sid:35411; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt"; flow:to_server,established; file_data; content:"document.createElement"; nocase; content:"embed"; within:50; nocase; content:".type"; within:50; nocase; content:"application/x-google-chrome-pdf"; within:60; nocase; content:"addEventListener"; within:200; nocase; content:".postMessage"; within:200; nocase; content:"event.data.selectedText"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1302; reference:url,code.google.com/p/chromium/issues/detail?id=520422; classtype:misc-attack; sid:37327; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt"; flow:to_client,established; file_data; content:"document.createElement"; nocase; content:"embed"; within:50; nocase; content:".type"; within:50; nocase; content:"application/x-google-chrome-pdf"; within:60; nocase; content:"addEventListener"; within:200; nocase; content:".postMessage"; within:200; nocase; content:"event.data.selectedText"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1302; reference:url,code.google.com/p/chromium/issues/detail?id=520422; classtype:misc-attack; sid:37326; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome same origin policy bypass attempt"; flow:to_client,established; file_data; content:"contentWindow.onunload"; nocase; content:".src"; within:75; nocase; content:"javascript|3A|"; within:50; nocase; content:"<script>"; within:75; nocase; content:"XMLHttpRequest"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6768; classtype:policy-violation; sid:37325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt"; flow:to_server,established; file_data; content:"<!--"; content:"saved from url=("; within:50; nocase; content:"--"; within:50; content:"--"; within:50; pcre:"/<!--[^>]+saved from url=\x28[^>\x20]+--[^>]+--/i"; metadata:service smtp; reference:cve,2015-6784; classtype:attempted-dos; sid:37311; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt"; flow:to_client,established; file_data; content:"<!--"; content:"saved from url=("; within:50; nocase; content:"--"; within:50; content:"--"; within:50; pcre:"/<!--[^>]+saved from url=\x28[^>\x20]+--[^>]+--/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6784; classtype:attempted-dos; sid:37310; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"createImageData"; content:"createImageBitmap"; fast_pattern:only; pcre:"/createImageBitmap\x28[^\x29]*?(\d{5}|0x\d{4})/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:43118; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"createImageData"; content:"createImageBitmap"; fast_pattern:only; pcre:"/createImageBitmap\x28[^\x29]*?(\d{5}|0x\d{4})/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:43117; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome V8 engine integer overflow attempt"; flow:to_server,established; file_data; content:".getImageData"; fast_pattern:only; content:".__proto__"; content:".length"; content:"Array"; content:".concat("; isdataat:1000,relative; content:!")"; within:1000; metadata:service smtp; reference:url,securityfocus.com/bid/36149/info; classtype:attempted-admin; sid:43956; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome V8 engine integer overflow attempt"; flow:to_client,established; file_data; content:".getImageData"; fast_pattern:only; content:".__proto__"; content:".length"; content:"Array"; content:".concat("; isdataat:1000,relative; content:!")"; within:1000; metadata:service ftp-data, service http, service imap, service pop3; reference:url,securityfocus.com/bid/36149/info; classtype:attempted-admin; sid:43955; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imageData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45767; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imageData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45766; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imageData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45765; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imgData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45764; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imgData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45763; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imgData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45762; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imageData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45761; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imgData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45760; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_server,established; file_data; content:"() {eval(|27|var"; content:"[i][0] ="; distance:0; content:"e-311|3B|"; within:75; metadata:service smtp; reference:cve,2017-5070; classtype:attempted-user; sid:46978; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_client,established; file_data; content:"() {eval(|27|var"; content:"[i][0] ="; distance:0; content:"e-311|3B|"; within:75; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5070; classtype:attempted-user; sid:46977; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_client,established; file_data; content:"function carry_me_plz(arr,obj)"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5070; classtype:attempted-user; sid:46976; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_server,established; file_data; content:"function carry_me_plz(arr,obj)"; fast_pattern:only; metadata:service smtp; reference:cve,2017-5070; classtype:attempted-user; sid:46975; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt"; flow:to_server,established; file_data; content:"new ArrayBuffer("; content:"__defineGetter__("; within:40; content:"return 0xffff"; distance:0; fast_pattern; nocase; metadata:service smtp; reference:cve,2014-1705; classtype:attempted-user; sid:47019; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt"; flow:to_client,established; file_data; content:"new ArrayBuffer("; content:"__defineGetter__("; within:40; content:"return 0xffff"; distance:0; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1705; classtype:attempted-user; sid:47018; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileReader use after free attempt"; flow:to_client,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:".result"; within:200; nocase; content:"readAsArrayBuffer|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,107213; reference:cve,2019-5786; reference:url,chromium-review.googlesource.com/c/chromium/src/+/1495209; classtype:attempted-user; sid:49361; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome FileReader use after free attempt"; flow:to_server,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:".result"; within:300; nocase; content:"readAsArrayBuffer|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,107213; reference:cve,2019-5786; reference:url,chromium-review.googlesource.com/c/chromium/src/+/1495209; classtype:attempted-user; sid:49360; rev:1;)